Compile kernel modules with the same hardening settings as the kernel

[clefru]

In https://github.com/NixOS/nixpkgs/issues/39225 we saw a hard-to-trace ABI breakage between the kernel and an out-of-tree kernel module. The root cause was different hardeningDisable settings for the kernel and the out-of-tree module. I see no good reason for those hardening settings to be different.

Other out-of-tree kernel modules also have wildly different hardening settings:

grep -r hardeningDisable /nix/nixpkgs/pkgs/os-specific-linux | handpicked-selection
./acpi-call/default.nix:  hardeningDisable = [ "pic" ];
./ati-drivers/default.nix:  hardeningDisable = [ "pic" "format" ];
./beegfs/kernel-module.nix:  hardeningDisable = [ "fortify" "pic" "stackprotector" ];

I don't want to see another weird ABI breaking in the future.

We should unify all those hardening settings by inheriting from the kernel's hardening settings. We already do inherit stdenv from the kernel compilation run for module compilation, so the approach could be similar.

[stale[bot]]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[clefru]

This should still be fixed/discussed.

[stale[bot]]

I marked this as stale due to inactivity. → More info