glibc: allow to build position-independent static executable

Mic92 · Mic92 · commit 61c74e1aee1b · 2021-05-22T13:33:49.000+02:00
This enables ALSR on static executables, which makes them harder to
exploit by providing a crt suitable for static PIEs.

Does this break existing binaries? Likely not. Static-pie is only
used if explicitly enabled.
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
@@ -153,6 +153,8 @@ stdenv.mkDerivation ({
       "--enable-add-ons"
       "--sysconfdir=/etc"
       "--enable-stackguard-randomization"
+      "--enable-static-pie"
+      "--enable-bind-now"
       (lib.withFeatureAs withLinuxHeaders "headers" "${linuxHeaders}/include")
       (lib.enableFeature profilingLibraries "profile")
     ] ++ lib.optionals withLinuxHeaders [
