Home Explore Blog CI



nixpkgs
30th chunk of `doc/stdenv/stdenv.chapter.md`
31214f02c08cd0d60afe7210521399166a721630412a895b0000000100000db3
#### `relro` {#relro}

Adds the `-z relro` linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the `bindnow` flag must also be disabled and incompatible programs typically fail with similar errors at runtime.

#### `bindnow` {#bindnow}

Adds the `-z now` linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `relro`). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldn’t be an issue for daemons.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and PHP are incompatible with this flag. Programs incompatible with this flag often fail at runtime due to missing symbols, like:

```
intel_drv.so: undefined symbol: vgaHWFreeHWRec
```

#### `zerocallusedregs` {#zerocallusedregs}

Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.

#### `stackclashprotection` {#stackclashprotection}

This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.

### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}

The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.

#### `nostrictaliasing` {#nostrictaliasing}

This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.

#### `pie` {#pie}

This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for

  - `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.

  - Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.

Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
Title: More Hardening Flags: relro, bindnow, zerocallusedregs, stackclashprotection, nostrictaliasing, and pie
Summary
This section describes several more hardening flags and their effects. It covers `relro` and `bindnow`, detailing how they prevent GOT overwrite attacks and their potential incompatibilities with dynamic shared object loading. It also discusses `zerocallusedregs` and `stackclashprotection`, outlining how they mitigate ROP gadgets and stack-based attacks. Finally, it explains `nostrictaliasing` and `pie`, including their purpose in preventing unsafe optimizations and enabling Address Space Layout Randomization (ASLR), respectively, and the conditions under which `pie` is enabled by default.