-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stdenv: fix custom hardening settings when using __structuredAttrs = true;
#353142
Conversation
We should also look at the following:
(stripped the grep output for trivial stuff) |
We're only setting defaults here: I think it's OK to continue using strings here until we kill support for non-structuredAttrs (if that ever happens), right?
turns off hardening for checkPhase. Same as above, as long as we support strings, that's OK I think.
This is the line we're currently fixing.
Hmm, this will indeed break (I think). Regarding the rest: what's the suggested course of action here? These will need to be touched when structuredAttrs=true is the new default or shall we do that earlier (haven't thought about the how though). |
No, I omitted the line we are fixing already. This is exactly the same lin in a different file.
I started to look into that, but I really don't get what
I'd say we don't need to touch anything that isn't structuredAttrs=true right now. We can do that later. Many of those seem to be specific to that derivation, so not critical until that derivation becomes structured. We should still look into those two, though:
It could very well be that some go modules/packages are built with structuredAttrs on, in which case this is relevant, I think. |
And there is one more thing wrong with this check, too: if "pie" is part of a longer hardening flag, e.g. "applepie", this will do the wrong thing. So I think we should do the following for this:
This works with strings and arrays and avoids the applepie problem. |
I can't find any in nixpkgs, but we should consider still fixing it now, because some out of tree users might do so. |
… true;` Replaces / Closes NixOS#353131 A while ago `postgresql` switched to using structured attrs[1]. In the PR it was reported that this made postgresql notably slower when importing SQL dumps[2]. After a bit of debugging it turned out that the hardening was entirely missing and the following combination of settings was the culprit: hardeningEnable = [ "pie" ]; __structuredAttrs = true; I.e. the combination of custom hardening settings and structured attrs. What happened here is that internally the default and enabled hardening flags get written into `NIX_HARDENING_ENABLE`. However, the value is a list and the setting is not in the `env` section. This means that in the structured-attrs case we get something like declare -ax NIX_HARDENING_ENABLE=([0]="bindnow" [1]="format" [2]="fortify" [3]="fortify3" [4]="pic" [5]="relro" [6]="stackprotector" [7]="strictoverflow" [8]="zerocallusedregs" [9]="pie") i.e. an actual array rather than a string with all hardening flags being space-separated which is what the hardening code of the cc-wrapper expects[3]. This only happens if `hardeningEnable` or `hardeningDisable` are explicitly set by a derivation: if none of those are set, `NIX_HARDENING_ENABLE` won't be set by `stdenv.mkDerivation` and the default hardening flags are configured by the setup hook of the cc-wrapper[4]. In other words, this _only_ applies to derivations that have both custom hardening settings _and_ `__structuredAttrs = true;`. All values of `NIX_HARDENING_ENABLE` are well-known, so we don't have to worry about escaping issues. Just forcing it to a string by concatenating the list everytime solves the issue without additional issues like eval errors when inheriting `env` from a structuredAttrs derivation[5]. The price we're paying is a full rebuild. [1] NixOS#294504 [2] NixOS#294504 (comment) [3] https://github.com/NixOS/nixpkgs/blob/cf3e5d3744dc26c3498aa5dadfa0e078c632cede/pkgs/build-support/cc-wrapper/add-hardening.sh#L9 [4] https://github.com/NixOS/nixpkgs/blob/cf3e5d3744dc26c3498aa5dadfa0e078c632cede/pkgs/build-support/cc-wrapper/setup-hook.sh#L114 [5] NixOS@1e84a7f
c84bb84
to
aaeeef5
Compare
@@ -413,7 +413,7 @@ else let | |||
enableParallelChecking = attrs.enableParallelChecking or true; | |||
enableParallelInstalling = attrs.enableParallelInstalling or true; | |||
} // optionalAttrs (hardeningDisable != [] || hardeningEnable != [] || stdenv.hostPlatform.isMusl) { | |||
NIX_HARDENING_ENABLE = enabledHardeningOptions; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused why this seems to work without env.
. Does it?
I would have expected structuredAttrs to require passing it via env
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't non-env things also exposed as bash variables in the builder, just not into the environment?
I mean, the NIX_HARDENING_ENABLE part was seen by add-hardening.sh
before, but itw as an actual array, not a string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aren't non-env things also exposed as bash variables in the builder, just not into the environment?
Kind of an "aha" moment for me. But yeah env
= "environment variables". I had quite a misconception here. Not sure what actually.
can confirm that this PR fixes postgresql performance regression |
So, IMHO this is ready now: it has a regression test that broke for me on master and passes on this commit and seems like the least disruptive change (except for the rebuild amount of course). cc @risicle @emilazy @wolfgangwalther |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just finished rebuilding the world - LGTM.
I confirmed the test breaks on master, passes on this branch. I also played around with the test, changing stuff to confirm it works as intended.
I double checked manually, that the NIX_HARDENING_ENABLE
variable is consistently set with both structuredAttrs and without.
I am still building the 4 packages that we know of which set hardening flags manually and have structuredAttrs enabled already:
- librandombytes
- scalapack
- postgresql
- texlive
Build failures here shouldn't stop us from doing this fix, though. We'd need to fix packages, too, but we can proceed with this PR already.
Those all built fine for me. Let's ship this. |
This reminded me that I'd really love to get the faster |
Rebuilding everything is fine. I think we had a stdenv rebuild in |
Alternative to #353131
cc @emilazy @wolfgangwalther
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.