cc-wrapper: add nostrictaliasing hardening flag support

this equates to -fno-strict-aliasing this is not a particularly new flag and is supported by all our gcc and clang versions. add to pkgsExtraHardening's defaultHardeningFlags.
2025-04-01 21:12:32 +01:00 · 2025-04-01 21:12:32 +01:00 · 781b42b87d
commit 781b42b87d
parent 9760071a02
5 changed files with 13 additions and 1 deletions
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@ -1568,6 +1568,10 @@ This flag adds the `-fstack-clash-protection` compiler option, which causes grow

 The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.

+#### `nostrictaliasing` {#nostrictaliasing}
+
+This flag adds the `-fno-strict-aliasing` compiler option, which prevents the compiler from assuming code has been written strictly following the standard in regards to pointer aliasing and therefore performing optimizations that may be unsafe for code that has not followed these rules.
+
 #### `pie` {#pie}

 This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@ -462,6 +462,8 @@

 - `services.avahi.ipv6` now defaults to true.

+- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
+
 - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script.

 - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi

 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
  declare -A hardeningDisableMap=()

  # Determine which flags were effectively disabled so we can report below.
@ -91,6 +91,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stack-clash-protection >&2; fi
      hardeningCFlagsBefore+=('-fstack-clash-protection')
      ;;
+    nostrictaliasing)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling nostrictaliasing >&2; fi
+      hardeningCFlagsBefore+=('-fno-strict-aliasing')
+      ;;
    pie)
      # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@ -119,6 +119,7 @@ let
    "fortify"
    "fortify3"
    "shadowstack"
+    "nostrictaliasing"
    "pacret"
    "pic"
    "pie"
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@ -420,6 +420,7 @@ let
              super'.stdenv.cc.defaultHardeningFlags
              ++ [
                "shadowstack"
+                "nostrictaliasing"
                "pacret"
                "trivialautovarinit"
              ]