| 7 Oct 2025 |
 Grimmauld (any/all) | thats also a decent proposal | 16:40:52 |
| Grimmauld (any/all) | i'd probably feel better about that, disabled pie does at least mean probably no runtime crashes of the actual audit userspace | 16:41:28 |
| Grimmauld (any/all) | diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix
index 215cda4ba459..71bedbc56352 100644
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -75,6 +75,9 @@ stdenv.mkDerivation (finalAttrs: {
libcap_ng
];
+ # audit is built with asan, and asan breaks with pie on some kernels
+ hardeningDisable = [ "pie" ];
+
configureFlags = [
# z/OS plugin is not useful on Linux, and pulls in an extra openldap
# dependency otherwise
Willi Butz could you try this one too maybe (on the machine that breaks)?
| 16:43:15 |
 Willi Butz | sure | 16:43:31 |
| Grimmauld (any/all) | sorry to make you do the testing, but as long as you have a machine that reproduces i am afraid code-pingpong will be necessary | 16:44:03 |
 Lun | that won't do anything, the hardening flag is dysfunctional and pending removal :/ | 16:44:39 |
| Lun | NIX_CFLAGS_COMPILE no-pie or something | 16:44:49 |
| Grimmauld (any/all) | oh no | 16:44:49 |
 dramforever | wait, how did that happen | 16:45:06 |
| Grimmauld (any/all) | won't that break a bunch of shit? | 16:45:29 |
| dramforever | why is it pending removal? | 16:45:38 |
| dramforever | shouldn't we fix it? | 16:45:55 |
| Lun | See https://github.com/NixOS/nixpkgs/pull/439314, https://github.com/NixOS/nixpkgs/pull/442510 | 16:45:56 |
| dramforever | ... ouch | 16:46:35 |
| Lun | LLVM stdenvs already built everything with pie ignoring hardening flags, other distros have been shipping gcc that turns pie on by default since ~2016, so ~everything non-ancient in the ecosystem passes no-pie if needed. | 16:46:52 |
 Vladimír Čunát | And there's no demand for softening flags. | 16:47:12 |
| Grimmauld (any/all) | diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix
index 215cda4ba459..f4dbb79518be 100644
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -75,6 +75,9 @@ stdenv.mkDerivation (finalAttrs: {
libcap_ng
];
+ # audit is built with asan, and asan breaks with pie on some kernels
+ env.NIX_CFLAGS_COMPILE = "-no-pie";
+
configureFlags = [
# z/OS plugin is not useful on Linux, and pulls in an extra openldap
# dependency otherwise
try this one then, i guess
| 16:48:13 |
| dramforever | well i guess you've thought about pkgsStatic and pkgsMusl so it's probably okay | 16:48:32 |
| dramforever | i just thought it was dysfunctional before as well | 16:48:40 |
| dramforever | which doesn't make sense | 16:48:50 |
| Grimmauld (any/all) | but tbh i am at the end of my knowledge, i can't repro and i am lost with pie/asan, so this is just throwing shit at the wall and seeing what sticks | 16:49:01 |
| Lun | the dysfunction was in hardeningflags infra rather than just turning it on by default using the toolchain flags everyone else has been using for a decade | 16:49:04 |
| Lun | is this some cursed issue where the hardened kernel widens the number of bits used for layout randomization and ASAN assumes it can store info in them? | 16:49:31 |
 Randy Eckenrode | Are they releasing a new SDK? | 16:55:15 |
| Willi Butz | (just to confirm, the tests do indeed no longer pass after switching the local machine to 6_12_hardened) | 16:56:56 |
| Grimmauld (any/all) | oh thats amazing info!! | 16:57:16 |
| Lun | What's in /proc/sys/vm/mmap_rnd_bits after that swap? | 16:57:30 |
 K900 | They literally did | 16:57:41 |
| K900 | A few hours ago | 16:57:49 |
| K900 | 1.4.328 | 16:57:59 |
