Merge pull request #242466 from risicle/ris-fortify3-disable-various

disable `fortify3` hardening flag on various packages
2023-07-12 13:49:08 +01:00 · 2023-07-12 13:49:08 +01:00 · e2622eee41
commit e2622eee41
parent bc41da4eb9 bf5598072e
13 changed files with 42 additions and 2 deletions
--- a/pkgs/applications/audio/mympd/default.nix
+++ b/pkgs/applications/audio/mympd/default.nix
@ -51,8 +51,12 @@ stdenv.mkDerivation rec {
    # similarly here
    "-DCMAKE_INSTALL_LOCALSTATEDIR=/var/lib/mympd"
  ];
-  # See https://github.com/jcorporation/myMPD/issues/315
-  hardeningDisable = [ "strictoverflow" ];
+  hardeningDisable = [
+    # See https://github.com/jcorporation/myMPD/issues/315
+    "strictoverflow"
+    # causes redefinition of _FORTIFY_SOURCE
+    "fortify3"
+  ];

  meta = {
    homepage = "https://jcorporation.github.io/myMPD";
--- a/pkgs/applications/networking/nextcloud-client/default.nix
+++ b/pkgs/applications/networking/nextcloud-client/default.nix
@ -87,6 +87,9 @@ mkDerivation rec {
    "-DNO_SHIBBOLETH=1" # allows to compile without qtwebkit
  ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  postBuild = ''
    make doc-man
  '';
--- a/pkgs/applications/science/misc/root/5.nix
+++ b/pkgs/applications/science/misc/root/5.nix
@ -66,6 +66,9 @@ stdenv.mkDerivation rec {
    })
  ];

+  # https://github.com/root-project/root/issues/13216
+  hardeningDisable = [ "fortify3" ];
+
  preConfigure = ''
    # binutils 2.37 fixes
    fixupList=(
--- a/pkgs/applications/virtualization/singularity/generic.nix
+++ b/pkgs/applications/virtualization/singularity/generic.nix
@ -149,6 +149,9 @@ in
  ++ extraConfigureFlags
  ;

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  # Packages to prefix to the Apptainer/Singularity container runtime default PATH
  # Use overrideAttrs to override
  defaultPathInputs = [
--- a/pkgs/development/compilers/intel-graphics-compiler/default.nix
+++ b/pkgs/development/compilers/intel-graphics-compiler/default.nix
@ -86,6 +86,9 @@ stdenv.mkDerivation rec {
    "-DIGC_PREFERRED_LLVM_VERSION=${lib.getVersion llvm}"
  ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    homepage = "https://github.com/intel/intel-graphics-compiler";
    description = "LLVM-based compiler for OpenCL targeting Intel Gen graphics hardware";
--- a/pkgs/development/libraries/gvm-libs/default.nix
+++ b/pkgs/development/libraries/gvm-libs/default.nix
@ -60,6 +60,9 @@ stdenv.mkDerivation rec {
    "-DGVM_RUN_DIR=${placeholder "out"}/run/gvm"
  ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    description = "Libraries module for the Greenbone Vulnerability Management Solution";
    homepage = "https://github.com/greenbone/gvm-libs";
--- a/pkgs/development/libraries/linbox/default.nix
+++ b/pkgs/development/libraries/linbox/default.nix
@ -52,6 +52,9 @@ stdenv.mkDerivation rec {
    "--enable-sage"
  ];

+  # https://github.com/linbox-team/linbox/issues/304
+  hardeningDisable = [ "fortify3" ];
+
  doCheck = true;

  enableParallelBuilding = true;
--- a/pkgs/misc/beep/default.nix
+++ b/pkgs/misc/beep/default.nix
@ -16,6 +16,9 @@ stdenv.mkDerivation rec {

  makeFlags = [ "prefix=${placeholder "out"}"];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    description = "The advanced PC speaker beeper";
    homepage = "https://github.com/spkr-beep/beep";
--- a/pkgs/os-specific/linux/libevdevc/default.nix
+++ b/pkgs/os-specific/linux/libevdevc/default.nix
@ -19,6 +19,9 @@ stdenv.mkDerivation rec {

  makeFlags = [ "DESTDIR=$(out)" "LIBDIR=/lib" ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    description = "ChromiumOS libevdev. Renamed to avoid conflicts with the standard libevdev found in Linux distros";
    license = licenses.bsd3;
--- a/pkgs/servers/mqtt/nanomq/default.nix
+++ b/pkgs/servers/mqtt/nanomq/default.nix
@ -35,6 +35,9 @@ let
    };

    nativeBuildInputs = [ cmake ninja flex bison ];
+
+    # https://github.com/nanomq/idl-serial/issues/36
+    hardeningDisable = [ "fortify3" ];
  };

 in stdenv.mkDerivation (finalAttrs: {
--- a/pkgs/tools/security/hash_extender/default.nix
+++ b/pkgs/tools/security/hash_extender/default.nix
@ -16,6 +16,9 @@ stdenv.mkDerivation {
  doCheck = true;
  checkPhase = "./hash_extender --test";

+  # https://github.com/iagox86/hash_extender/issues/26
+  hardeningDisable = [ "fortify3" ];
+
  env.NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations";

  installPhase = ''
--- a/pkgs/tools/security/yubihsm-shell/default.nix
+++ b/pkgs/tools/security/yubihsm-shell/default.nix
@ -58,6 +58,9 @@ stdenv.mkDerivation rec {
    "-DDISABLE_LTO=ON"
  ];

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  meta = with lib; {
    description = "yubihsm-shell and libyubihsm";
    homepage = "https://github.com/Yubico/yubihsm-shell";
--- a/pkgs/tools/system/minijail/default.nix
+++ b/pkgs/tools/system/minijail/default.nix
@ -19,6 +19,9 @@ stdenv.mkDerivation rec {
    patchShebangs platform2_preinstall.sh
  '';

+  # causes redefinition of _FORTIFY_SOURCE
+  hardeningDisable = [ "fortify3" ];
+
  installPhase = ''
    ./platform2_preinstall.sh ${version} $out/include/chromeos