libressl: build libcrypto with noexecstack

For some reasons, libcrypto would be built with the executable stack flag set. I found out about this when Nginx failed to load the shared library, because I was running it with MemoryDenyWriteExecute=true, which does not permit executable stacks. I am not sure why the stack ends up executable; the other shared libraries which are part of LibreSSL do not have this flag set. You can verify this with 'execstack -q'. Non-executable stacks should be the default, and from checking some other files, that does appear to be the case. The LibreSSL sources do not contain the string "execstack", so I am not sure what causes the default to be overridden. Adding '-z noexecstack' to the linker flags makes the linker unset the flag. Now my Nginx can load the library, and so far I have not run into other issues.
2019-08-10 22:07:59 +02:00 · 2019-08-10 22:07:59 +02:00 · 8b6a9202e7
commit 8b6a9202e7
parent 809b38a784
1 changed files with 4 additions and 0 deletions
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@ -23,6 +23,10 @@ let
      rm configure
    '';

+    # Ensure that the output libraries do not require an executable stack.
+    # Without this, libcrypto would be built with the executable stack flag set.
+    NIX_LDFLAGS = ["-z" "noexecstack"];
+
    enableParallelBuilding = true;

    outputs = [ "bin" "dev" "out" "man" "nc" ];