tracking issue: by default packages aren't built with -fpie/ASLR support

[LunNova]

TODO

• [ ] Unconditionally set NIX_HARDENING_ENABLE with the default flags, to avoid inconsistent defaults in different build-support scripts - #206490
  • [x] Alternatively @risicle has a refactor in #259070 which fixes this
• [x] Start a fresh PR adding pie by default in staging - done by @chivay in #252310
  • [ ] Test for personal system build
• [ ] Figure out bootstrap compiler pie situation
  • [x] Has this changed since last PR was opened - it hasn't, still doesn't build with pie on
  • [ ] If it hasn't can it be fixed to simplify things?
• [ ] Work out how to correctly use -static-pie insteadof -static -pie for pkgsStatic

Description

fpie should result in almost no performance decrease on x64 and makes some attacks harder, although it is possible to bypass.

We should enable it by default if this is feasible without breaking package builds.

Raising this issue to track this as there was no tracking issue and the last PR attempting this stalled #104091.

Inlining motivation from @TredwellGit's PR:

https://blog.fpmurphy.com/2008/06/position-independent-executables.html

PIE is an address space randomization technique that compiles & links executables to be position independent, i.e. machine instruction code that executes properly regardless of where in memory it actually resides. When combined with a kernel that can recognize it is loading a PIE binary, the kernel loads it into a random address instead of the traditional fixed address locations.

https://fedoraproject.org/wiki/Security_Features_Matrix#Address_Space_Layout_Randomization_.28ASLR.29

This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit.
To make ASLR effective all segments must be randomized. Leaving the text segment loading address non-randomized reduces the protection provided by the ASLR since the attackers can use ret2text attacks. The loading address of the text segment in a binary can be randomized by building the binary as PIE (Position Independent Executable).

https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description

Copy relocations support in GCC 5 and binutils 2.26 makes the performance [decrease] on x86_64 of PIE literally zero for many programs.

[chivay]

FWIW, I've attempted to combine all PIE-related patches into a single branch, which can be found here: https://github.com/NixOS/nixpkgs/compare/master...chivay:nixpkgs:pie-hardening-work

The only problem I've encountered is with Golang - when compiled with PIE against glibc, binaries end up linked with ld.so from at a standard path i..e "/lib" instead of "/nix/store", thus they're unusable.

Apart from that, I'm happy to report that everything seems to work without any issues (at least in my configuration).