libressl: build libcrypto with noexecstack

For some reasons, libcrypto would be built with the executable stack
flag set. I found out about this when Nginx failed to load the shared
library, because I was running it with MemoryDenyWriteExecute=true,
which does not permit executable stacks.

I am not sure why the stack ends up executable; the other shared
libraries which are part of LibreSSL do not have this flag set. You can
verify this with 'execstack -q'. Non-executable stacks should be the
default, and from checking some other files, that does appear to be the
case. The LibreSSL sources do not contain the string "execstack", so
I am not sure what causes the default to be overridden.

Adding '-z noexecstack' to the linker flags makes the linker unset the
flag. Now my Nginx can load the library, and so far I have not run into
other issues.
This commit is contained in:
Ruud van Asseldonk 2019-08-10 22:07:59 +02:00
parent 809b38a784
commit 8b6a9202e7

View file

@ -23,6 +23,10 @@ let
rm configure
'';
# Ensure that the output libraries do not require an executable stack.
# Without this, libcrypto would be built with the executable stack flag set.
NIX_LDFLAGS = ["-z" "noexecstack"];
enableParallelBuilding = true;
outputs = [ "bin" "dev" "out" "man" "nc" ];