├── .gitignore
├── LICENSE
├── README.md
├── default.nix
├── derivation.nix
├── example
    └── default.nix
├── nix-harden-needed.sh
├── nix
    ├── sources.json
    └── sources.nix
└── overlay.nix


/.gitignore:
--------------------------------------------------------------------------------
1 | result
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Farid Zakaria
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Nix Harden Needed Setup Hook
 2 | 
 3 | This repository contains the Nix equivalent of the idea proposed by [Harmen Stoppels](https://stoppels.ch/) in the blog post [Stop searching for shared libraries](https://stoppels.ch/2022/08/04/stop-searching-for-shared-libraries.html).
 4 | 
 5 | The idea of the blog post is that if you set the _SONAME_ of shared library to be the absolute path, it will get propagated as the _DT_NEEDED_ entry for the library or application which links against it.
 6 | Since in Nix it is always safe to link against the full _/nix/store/ path entry, this ultimately removes the need to have any _RPATH_ or _RUNPATH_ entries.
 7 | 
 8 | This setup-hook is used like any other setup-hook and you need only add it as a dependency for it to trigger.
 9 | 
10 | ## Why do this?
11 | 
12 | I have shown in another repository [Shrinkwrap](https://github.com/fzakaria/shrinkwrap) that the cost of walking _RPATH_ can be problematic for binaries that pull in many dependencies. The cost is even worse if you have your Nix store on something like NFS.
13 | This is another attempt at solving the same problem of Shrinkwrap but takes more advantage of systems like Nix that build from the ground up. You only need to set the _SONAME_ correctly once and everything above it profits.
14 | 
15 | ## Example
16 | 
17 | Imagine a library _libf_ that used this setup hook.
18 | ```nix
19 | stdenv.mkDerivation rec {
20 |   pname = "libf";
21 |   version = "0.1";
22 | 
23 |   dontUnpack = true;
24 | 
25 |   buildInputs = [
26 |     nix-harden-needed-hook
27 |   ];
28 | 
29 |   buildPhase = ''
30 |     $CC -shared -o libf.so -Wl,-soname,libf.so -x c - <<EOF
31 |         #include <stdio.h>
32 |         void f() { puts("hello world"); }
33 |     EOF
34 |   '';
35 | 
36 |   installPhase = ''
37 |     mkdir -p $out/lib
38 |     mv libf.so $out/lib
39 |   '';
40 | }
41 | ```
42 | 
43 | The _SONAME_ is modified to point to the absolute path of the file.
44 | 
45 | ```console
46 | ❯ patchelf --print-soname /nix/store/zir4jfm86i3037lnsaz5br55iwavvhpz-libf-0.1/lib/libf.so
47 | /nix/store/zir4jfm86i3037lnsaz5br55iwavvhpz-libf-0.1/lib/libf.so
48 | ```
49 | 
50 | If we then had a library or executable depend on it.
51 | ```nix
52 | stdenv.mkDerivation rec {
53 |   pname = "app";
54 | 
55 |   version = "0.1";
56 | 
57 |   dontUnpack = true;
58 | 
59 |   buildInputs = [
60 |     libf
61 |   ];
62 | 
63 |   buildPhase = ''
64 |     # Enable if you'd like to see wrapper debug information
65 |     # NIX_DEBUG=1 
66 |     $CC -o app -lf -x c - <<EOF
67 |         void f();
68 |         int main() { f(); }
69 |     EOF
70 |   '';
71 | 
72 |   installPhase = ''
73 |     mkdir -p $out/bin
74 |     mv app $out/bin
75 |   '';
76 | 
77 | }
78 | ```
79 | 
80 | It would propagate the entry into the _DT_NEEDED_ entry correctly, making the need for _RPATH_ redundant.
81 | ```console
82 | ❯ patchelf --print-needed /nix/store/6pg9d3lwlmgcmmswv937fcy211vkqxch-app-0.1/bin/app
83 | /nix/store/znxycsxlnx2s9zn6g0s0fl4z57ar7aps-libf-0.1/lib/libf.so
84 | libc.so.6
85 | ```
86 | 
87 | ## What's next?
88 | 
89 | It would be great to upstream this into Nixpkgs such that it is the default way of building with _stdenv_.
90 | The benefit would be all binaries in Nix would load much quicker and managing RPATHs would no longer be necessary.


--------------------------------------------------------------------------------
/default.nix:
--------------------------------------------------------------------------------
 1 | { nixpkgs ? (import ./nix/sources.nix).nixpkgs
 2 | , system ? builtins.currentSystem
 3 | }:
 4 | let
 5 |   sources = import ./nix/sources.nix;
 6 |   pkgs = import nixpkgs {
 7 |     overlays = [
 8 |       (_: super: {
 9 |         niv = (import sources.niv { }).niv;
10 |       })
11 |       (import ./overlay.nix)
12 |     ];
13 |     inherit system;
14 |   };
15 | in
16 | {
17 |   nix-harden-needed-hook = pkgs.nix-harden-needed-hook;
18 | }
19 |     


--------------------------------------------------------------------------------
/derivation.nix:
--------------------------------------------------------------------------------
 1 | { makeSetupHook
 2 | , ruby
 3 | , patchelf
 4 | , substituteAll
 5 | }:
 6 | makeSetupHook
 7 | {
 8 |   name = "nix-harden-needed.sh";
 9 |   deps = [ ];
10 |   substitutions = {
11 |     ruby = ruby;
12 |     nixHardenNeededScript = substituteAll { src = ./nix-harden-needed.rb; inherit patchelf ruby; };
13 |   };
14 | } ./nix-harden-needed.sh
15 |     
16 | 


--------------------------------------------------------------------------------
/example/default.nix:
--------------------------------------------------------------------------------
 1 | let pkgs = import <nixpkgs> {
 2 |   overlays = [
 3 |     (import ../overlay.nix)
 4 |   ];
 5 | };
 6 | in
 7 | with pkgs;
 8 | let libf = stdenv.mkDerivation rec {
 9 |   pname = "libf";
10 |   version = "0.1";
11 | 
12 |   dontUnpack = true;
13 | 
14 |   buildInputs = [
15 |     nix-harden-needed-hook
16 |   ];
17 | 
18 |   buildPhase = ''
19 |     # Enable if you'd like to see wrapper debug information
20 |     # NIX_DEBUG=1 
21 |     $CC -shared -o libf.so -Wl,-soname,libf.so -x c - <<EOF
22 |         #include <stdio.h>
23 |         void f() { puts("hello world"); }
24 |     EOF
25 |   '';
26 | 
27 |   installPhase = ''
28 |     mkdir -p $out/lib
29 |     mv libf.so $out/lib
30 |   '';
31 | };
32 | in
33 | stdenv.mkDerivation rec {
34 |   pname = "app";
35 | 
36 |   version = "0.1";
37 | 
38 |   dontUnpack = true;
39 | 
40 |   buildInputs = [
41 |     libf
42 |   ];
43 | 
44 |   buildPhase = ''
45 |     # Enable if you'd like to see wrapper debug information
46 |     # NIX_DEBUG=1 
47 |     $CC -o app -lf -x c - <<EOF
48 |         void f();
49 |         int main() { f(); }
50 |     EOF
51 |   '';
52 | 
53 |   installPhase = ''
54 |     mkdir -p $out/bin
55 |     mv app $out/bin
56 |   '';
57 | 
58 | }
59 | 


--------------------------------------------------------------------------------
/nix-harden-needed.sh:
--------------------------------------------------------------------------------
 1 | # This is the setup-hook that gets installed automatically whenever a package
 2 | # takes a dependency on this package.
 3 | # TODO(fzakaria): Understand how to integrate shellcheck similar to
 4 | # https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/trivial-builders.nix#L274
 5 | 
 6 | nix-harden-needed-hook() {
 7 |     # TODO(fzakaria): Understand the difference between $out and $prefix
 8 |     local dir="$prefix"
 9 |     [ -e "$dir" ] || return 1
10 | 
11 |     header "Hardening the dynamic shared libraries in $dir"
12 | 
13 |     for i in $(find $dir -type f -name '*.so*'); do
14 |         # sometimes there can be linker scripts matching *.so*
15 |         if isELF "$i"; then
16 |             patchelf --set-soname $i $i
17 |         fi
18 |     done
19 | }
20 | 
21 | fixupOutputHooks+=(nix-harden-needed-hook)
22 | 


--------------------------------------------------------------------------------
/nix/sources.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "nixpkgs": {
 3 |         "branch": "release-21.05",
 4 |         "description": "Nix Packages collection",
 5 |         "homepage": "",
 6 |         "owner": "NixOS",
 7 |         "repo": "nixpkgs",
 8 |         "rev": "022caabb5f2265ad4006c1fa5b1ebe69fb0c3faf",
 9 |         "sha256": "12q00nbd7fb812zchbcnmdg3pw45qhxm74hgpjmshc2dfmgkjh4n",
10 |         "type": "tarball",
11 |         "url": "https://github.com/NixOS/nixpkgs/archive/022caabb5f2265ad4006c1fa5b1ebe69fb0c3faf.tar.gz",
12 |         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/nix/sources.nix:
--------------------------------------------------------------------------------
  1 | # This file has been generated by Niv.
  2 | 
  3 | let
  4 | 
  5 |   #
  6 |   # The fetchers. fetch_<type> fetches specs of type <type>.
  7 |   #
  8 | 
  9 |   fetch_file = pkgs: name: spec:
 10 |     let
 11 |       name' = sanitizeName name + "-src";
 12 |     in
 13 |       if spec.builtin or true then
 14 |         builtins_fetchurl { inherit (spec) url sha256; name = name'; }
 15 |       else
 16 |         pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
 17 | 
 18 |   fetch_tarball = pkgs: name: spec:
 19 |     let
 20 |       name' = sanitizeName name + "-src";
 21 |     in
 22 |       if spec.builtin or true then
 23 |         builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
 24 |       else
 25 |         pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
 26 | 
 27 |   fetch_git = name: spec:
 28 |     let
 29 |       ref =
 30 |         if spec ? ref then spec.ref else
 31 |           if spec ? branch then "refs/heads/${spec.branch}" else
 32 |             if spec ? tag then "refs/tags/${spec.tag}" else
 33 |               abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
 34 |       submodules = if spec ? submodules then spec.submodules else false;
 35 |       submoduleArg =
 36 |         let
 37 |           nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
 38 |           emptyArgWithWarning =
 39 |             if submodules == true
 40 |             then
 41 |               builtins.trace
 42 |                 (
 43 |                   "The niv input \"${name}\" uses submodules "
 44 |                   + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
 45 |                   + "does not support them"
 46 |                 )
 47 |                 {}
 48 |             else {};
 49 |         in
 50 |           if nixSupportsSubmodules
 51 |           then { inherit submodules; }
 52 |           else emptyArgWithWarning;
 53 |     in
 54 |       builtins.fetchGit
 55 |         ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
 56 | 
 57 |   fetch_local = spec: spec.path;
 58 | 
 59 |   fetch_builtin-tarball = name: throw
 60 |     ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
 61 |         $ niv modify ${name} -a type=tarball -a builtin=true'';
 62 | 
 63 |   fetch_builtin-url = name: throw
 64 |     ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
 65 |         $ niv modify ${name} -a type=file -a builtin=true'';
 66 | 
 67 |   #
 68 |   # Various helpers
 69 |   #
 70 | 
 71 |   # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
 72 |   sanitizeName = name:
 73 |     (
 74 |       concatMapStrings (s: if builtins.isList s then "-" else s)
 75 |         (
 76 |           builtins.split "[^[:alnum:]+._?=-]+"
 77 |             ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
 78 |         )
 79 |     );
 80 | 
 81 |   # The set of packages used when specs are fetched using non-builtins.
 82 |   mkPkgs = sources: system:
 83 |     let
 84 |       sourcesNixpkgs =
 85 |         import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
 86 |       hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
 87 |       hasThisAsNixpkgsPath = <nixpkgs> == ./.;
 88 |     in
 89 |       if builtins.hasAttr "nixpkgs" sources
 90 |       then sourcesNixpkgs
 91 |       else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
 92 |         import <nixpkgs> {}
 93 |       else
 94 |         abort
 95 |           ''
 96 |             Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
 97 |             add a package called "nixpkgs" to your sources.json.
 98 |           '';
 99 | 
100 |   # The actual fetching function.
101 |   fetch = pkgs: name: spec:
102 | 
103 |     if ! builtins.hasAttr "type" spec then
104 |       abort "ERROR: niv spec ${name} does not have a 'type' attribute"
105 |     else if spec.type == "file" then fetch_file pkgs name spec
106 |     else if spec.type == "tarball" then fetch_tarball pkgs name spec
107 |     else if spec.type == "git" then fetch_git name spec
108 |     else if spec.type == "local" then fetch_local spec
109 |     else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
110 |     else if spec.type == "builtin-url" then fetch_builtin-url name
111 |     else
112 |       abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
113 | 
114 |   # If the environment variable NIV_OVERRIDE_${name} is set, then use
115 |   # the path directly as opposed to the fetched source.
116 |   replace = name: drv:
117 |     let
118 |       saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
119 |       ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
120 |     in
121 |       if ersatz == "" then drv else
122 |         # this turns the string into an actual Nix path (for both absolute and
123 |         # relative paths)
124 |         if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
125 | 
126 |   # Ports of functions for older nix versions
127 | 
128 |   # a Nix version of mapAttrs if the built-in doesn't exist
129 |   mapAttrs = builtins.mapAttrs or (
130 |     f: set: with builtins;
131 |     listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
132 |   );
133 | 
134 |   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
135 |   range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
136 | 
137 |   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
138 |   stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
139 | 
140 |   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
141 |   stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
142 |   concatMapStrings = f: list: concatStrings (map f list);
143 |   concatStrings = builtins.concatStringsSep "";
144 | 
145 |   # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
146 |   optionalAttrs = cond: as: if cond then as else {};
147 | 
148 |   # fetchTarball version that is compatible between all the versions of Nix
149 |   builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
150 |     let
151 |       inherit (builtins) lessThan nixVersion fetchTarball;
152 |     in
153 |       if lessThan nixVersion "1.12" then
154 |         fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
155 |       else
156 |         fetchTarball attrs;
157 | 
158 |   # fetchurl version that is compatible between all the versions of Nix
159 |   builtins_fetchurl = { url, name ? null, sha256 }@attrs:
160 |     let
161 |       inherit (builtins) lessThan nixVersion fetchurl;
162 |     in
163 |       if lessThan nixVersion "1.12" then
164 |         fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
165 |       else
166 |         fetchurl attrs;
167 | 
168 |   # Create the final "sources" from the config
169 |   mkSources = config:
170 |     mapAttrs (
171 |       name: spec:
172 |         if builtins.hasAttr "outPath" spec
173 |         then abort
174 |           "The values in sources.json should not have an 'outPath' attribute"
175 |         else
176 |           spec // { outPath = replace name (fetch config.pkgs name spec); }
177 |     ) config.sources;
178 | 
179 |   # The "config" used by the fetchers
180 |   mkConfig =
181 |     { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
182 |     , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
183 |     , system ? builtins.currentSystem
184 |     , pkgs ? mkPkgs sources system
185 |     }: rec {
186 |       # The sources, i.e. the attribute set of spec name to spec
187 |       inherit sources;
188 | 
189 |       # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
190 |       inherit pkgs;
191 |     };
192 | 
193 | in
194 | mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
195 | 


--------------------------------------------------------------------------------
/overlay.nix:
--------------------------------------------------------------------------------
1 | self: super: {
2 |   nix-harden-needed-hook = self.callPackage ./derivation.nix { };
3 | }
4 | 


--------------------------------------------------------------------------------