How to set cross compiler's unsupportedHardeningFlags?

ius · June 27, 2021, 11:00pm

What’s the best way to set a cross compiler’s unsupportedHardeningFlags attribute?

This attribute is used by the cc-wrapper to disable specified hardening flags in add-hardening.sh. I’d like to disable the stackprotector flag for my cross compiler (because it’s broken on powerpc-musl), which I managed to do so using the snippet below:

import <nixpkgs> {
  overlays = [ (
    self: super: {
      gcc = if super.stdenv.targetPlatform != super.stdenv.hostPlatform && super.stdenv.targetPlatform.isPowerPC then super.gcc.overrideAttrs (old: {
          postFixup = builtins.replaceStrings [''export hardening_unsupported_flags="''] [''export hardening_unsupported_flags="stackprotector''] super.gcc.postFixup;
        }) else super.gcc;
    }
  ) ];
  crossSystem = {
      config = "powerpc-unknown-linux-musl";
   };
 }

I can succesfully enter an env using the code above, i.e.:

# nix-shell -E 'with import ./test.nix; mkShell { buildInputs = [ zlib ]; }'

Even though this works, its an obvious hack. I’m new to nix(os), so I’m sure there’s a better approach.
I’ve come up with two alternate approaches, which both didn’t work.

It would seem a cleaner way would be to override cc, because cc.hardeningUnsupportedFlags is actually used to emit the code I’m crudely replacing. I don’t know how to do this though, as it’s passed in as an argument to the cc-wrapper function.

    ## Hardening support
    ##
    + ''
      export hardening_unsupported_flags="${builtins.concatStringsSep " " (cc.hardeningUnsupportedFlags or [])}"
    ''

I tried overlaying gcc-unwrapped to set hardeningUnsupportedFlags in my overlay, assuming this would somehow end up being the cc passed to cc-wrapper. Unfortunately, this doesn’t seem to be the case. My main problem with this approach is that I do not understand how (or if) I can influence cc by overlaying gcc-unwrapped (or gcc10).

Any suggestions for a cleaner approach - or an explanation why my other ideas won’t work - would be appreciated.

ius · July 1, 2021, 5:29pm

Minor bump for visibility…

symphorien · July 1, 2021, 6:57pm

If these flags are not supported on this architecture, then I suspect that you should make a PR to add them in nixpkgs.

ius · July 1, 2021, 7:26pm

I’m aware that would be the eventual solution - in fact, on x86 a workaround is used to add the missing __stack_chk_fail_local symbol instead of disabling SSP altogether. PowerPC would have to be added.

I’m still interested in learning how to approach this using an overlay - as I’m trying to teach myself Nix(OS). Consider it an educational question - for practical purposes my substitution hack works just fine.

EDIT: I discovered editing <nixpkgs> isn’t that bad after all, as its path can be passed to nix-shell so it applies only to the cross environment.