Home Explore Blog Models CI



nixpkgs
29th chunk of `doc/stdenv/stdenv.chapter.md`
31768915367b64d39389a44f27e9f69b55b2998bc7ba07660000000100000fe1
Both parameters take a list of flags as strings. The special `"all"` flag can be passed to `hardeningDisable` to turn off all hardening. These flags can also be used as environment variables for testing or development purposes.

For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).

Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used.

### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}

The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to be packaged is incompatible.

#### `format` {#format}

Adds the `-Wformat -Wformat-security -Werror=format-security` compiler options. At present, this warns about calls to `printf` and `scanf` functions where the format string is not a string literal and there are no format arguments, as in `printf(foo);`. This may be a security hole if the format string came from untrusted input and contains `%n`.

This needs to be turned off or fixed for errors similar to:

```
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
         printf(help_message);
                            ^
cc1plus: some warnings being treated as errors
```

#### `stackprotector` {#stackprotector}

Adds the `-fstack-protector-strong --param ssp-buffer-size=4` compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).

This needs to be turned off or fixed for errors similar to:

```
bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
```

#### `fortify` {#fortify}

Adds the `-O2 -D_FORTIFY_SOURCE=2` compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain `%n` are blocked. If an application depends on such a format string, it will need to be worked around.

Additionally, some warnings are enabled which might trigger build failures if compiler warnings are treated as errors in the package build. In this case, set `env.NIX_CFLAGS_COMPILE` to `-Wno-error=warning-type`.

This needs to be turned off or fixed for errors similar to:

```
malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known

strdup.h:22:1: error: expected identifier or '(' before '__extension__'

strsep.c:65:23: error: register name not specified for 'delim'

installwatch.c:3751:5: error: conflicting types for '__open_2'

fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
```

Disabling `fortify` implies disablement of `fortify3`

#### `fortify3` {#fortify3}

Adds the `-O2 -D_FORTIFY_SOURCE=3` compiler options. This expands the cases that can be protected by fortify-checks to include some situations with dynamic-length buffers whose length can be inferred at runtime using compiler hints.
Title: Nixpkgs Default Hardening Flags: Details and Troubleshooting
Summary
This text details Nixpkgs' default hardening flags, configurable via `hardeningDisable`, `hardeningEnable`, or environment variables. Support for these flags varies by compiler/platform, with `NIX_DEBUG` used for inspection. The document describes specific default flags: - **`format`**: Adds `-Wformat -Wformat-security -Werror=format-security` to prevent format string vulnerabilities, often requiring fixes for `printf(foo)`-like calls. - **`stackprotector`**: Adds `-fstack-protector-strong` for stack overflow protection, which can lead to `__stack_chk_fail` errors. - **`fortify`**: Adds `-O2 -D_FORTIFY_SOURCE=2` to replace insecure buffer function calls and block `%n` in writable format strings, potentially causing build failures. Disabling `fortify` also disables `fortify3`. - **`fortify3`**: Adds `-O2 -D_FORTIFY_SOURCE=3`, expanding `fortify` checks to dynamic-length buffers. External wikis (Debian, Ubuntu, Gentoo, Arch) are referenced for more information on hardening.