diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index 80059a78733c..bf8048a3a789 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1568,6 +1568,10 @@ This flag adds the `-fstack-clash-protection` compiler option, which causes grow The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services. +#### `nostrictaliasing` {#nostrictaliasing} + +This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules. + #### `pie` {#pie} This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index a5294d0efdc3..ae18c087ceea 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -478,6 +478,8 @@ - `services.avahi.ipv6` now defaults to true. +- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`. + - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script. - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`. diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 4440d99ccaba..9fed30303ab8 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then fi if (( "${NIX_DEBUG:-0}" >= 1 )); then - declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs) + declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs) declare -A hardeningDisableMap=() # Determine which flags were effectively disabled so we can report below. @@ -91,6 +91,10 @@ for flag in "${!hardeningEnableMap[@]}"; do if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stack-clash-protection >&2; fi hardeningCFlagsBefore+=('-fstack-clash-protection') ;; + nostrictaliasing) + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi + hardeningCFlagsBefore+=('-fno-strict-aliasing') + ;; pie) # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 22338e9983ff..8ecdb6879740 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -119,6 +119,7 @@ let "fortify" "fortify3" "shadowstack" + "nostrictaliasing" "pacret" "pic" "pie" diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix index bd0dcf9e0473..d953741b4579 100644 --- a/pkgs/top-level/stage.nix +++ b/pkgs/top-level/stage.nix @@ -420,6 +420,7 @@ let super'.stdenv.cc.defaultHardeningFlags ++ [ "shadowstack" + "nostrictaliasing" "pacret" "trivialautovarinit" ]