13274 enable -fstack-protector-strong by default in user land

Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Gordon Ross <gordon.w.ross@gmail.com>

29 files changed, 182 insertions, 57 deletions

diff --git a/usr/src/Makefile.master b/usr/src/Makefile.master
index c3dfbe70fa..7777f62565 100644
--- a/usr/src/Makefile.master
+++ b/usr/src/Makefile.master
@@ -410,6 +410,45 @@ CCNOAGGRESSIVELOOPS= \
 	-_gcc8=-fno-aggressive-loop-optimizations \
 	-_gcc9=-fno-aggressive-loop-optimizations
 
+#
+# Options to control which version of stack-protector we enable. This
+# gives us a bit of flexibility and is unfortunately necessary as some
+# modules do not function correctly with our defaults (qede).
+#
+#  o STACKPROTECT_              Sets the appropriate version for the compiler
+#  o STACKPROTECT_strong        Sets us to use strong on all of the
+#                               compilers it supports. This is the same
+#                               as the default.
+#
+#  o STACKPROTECT_none          Disables the stack protector.
+#
+#  o STACKPROTECT_all           Enables it for everything.
+#
+#  o STACKPROTECT_basic         Enables the basic stack protector.
+#
+# -fstack-protector-strong is not available in gcc4 which is why we
+# have per-compiler versions below. These are not added to the default
+# global CFLAGS at this time as it's being incrementally enabled
+# throughout the build.
+#
+STACKPROTECT_           = -_gcc4=-fstack-protector
+STACKPROTECT_           += -_gcc7=-fstack-protector-strong
+STACKPROTECT_           += -_gcc8=-fstack-protector-strong
+STACKPROTECT_           += -_gcc9=-fstack-protector-strong
+
+STACKPROTECT_strong     = $(STACKPROTECT_)
+STACKPROTECT_none       =
+STACKPROTECT_all        = -_gcc=-fstack-protector-all
+STACKPROTECT_basic      = -_gcc=-fstack-protector
+
+STACKPROTECT_LD_	= -lssp_ns
+STACKPROTECT_LD_none	=
+STACKRPTOECT_LD_all	= $(STACKRPOTECT_LD_)
+STACKRPTOECT_LD_basic	= $(STACKRPOTECT_LD_)
+
+CCSTACKPROTECT= $(STACKPROTECT_$(STACKPROTECT))
+LDSTACKPROTECT= $(STACKPROTECT_LD_$(STACKPROTECT))
+
 # One optimization the compiler might perform is to turn this:
 #	#pragma weak foo
 #	extern int foo;
diff --git a/usr/src/cmd/Makefile.cmd b/usr/src/cmd/Makefile.cmd
index b16a7532b2..b616d6a7ac 100644
--- a/usr/src/cmd/Makefile.cmd
+++ b/usr/src/cmd/Makefile.cmd
@@ -115,7 +115,13 @@ ROOTAUDIOSAMPAU=$(ROOTAUDIOSAMP)/au
 ISAEXEC=	$(ROOT)/usr/lib/isaexec
 PLATEXEC=	$(ROOT)/usr/lib/platexec
 
-LDLIBS =	$(LDLIBS.cmd)
+#
+# Enable the stack protector by default.
+#
+CFLAGS +=	$(CCSTACKPROTECT)
+CFLAGS64 +=	$(CCSTACKPROTECT)
+
+LDLIBS =	$(LDLIBS.cmd) $(LDSTACKPROTECT)
 
 LDFLAGS.cmd = \
 	$(BDIRECT) $(ENVLDFLAGS1) $(ENVLDFLAGS2) $(ENVLDFLAGS3) \
diff --git a/usr/src/cmd/cmd-inet/usr.bin/pppd/plugins/Makefile b/usr/src/cmd/cmd-inet/usr.bin/pppd/plugins/Makefile
index d577640c90..1f7c9b1ef7 100644
--- a/usr/src/cmd/cmd-inet/usr.bin/pppd/plugins/Makefile
+++ b/usr/src/cmd/cmd-inet/usr.bin/pppd/plugins/Makefile
@@ -26,7 +26,7 @@
 #
 
 MINCONN =	minconn.so
-PASSPROMPT = 	passprompt.so
+PASSPROMPT =	passprompt.so
 PPPOE =		pppoe.so
 
 LIBRARIES =	minconn.so passprompt.so pppoe.so
@@ -52,11 +52,8 @@ $(MINCONN):=	MAPFILES = mapfile-minconn
 $(PASSPROMPT):=	MAPFILES = mapfile-passprompt
 $(PPPOE):=	MAPFILES = mapfile-pppoe
 
-# A bug in pmake causes redundancy when '+=' is conditionally assigned, so
-# '=' is used with extra variables.
-XXXLDLIBS =
-$(PASSPROMPT):=	XXXLDLIBS = -lc
-LDLIBS +=	$(XXXLDLIBS)
+$(PASSPROMPT):=	LDLIBS += -lc
+$(PPPOE):=	LDLIBS += -lc
 
 CPPFLAGS +=	-I.. -I$(SRC)/uts/common
 # XX64 -- this should not be needed -- fix me
diff --git a/usr/src/cmd/lp/cmd/Makefile b/usr/src/cmd/lp/cmd/Makefile
index 1d31e19262..21fef0076b 100644
--- a/usr/src/cmd/lp/cmd/Makefile
+++ b/usr/src/cmd/lp/cmd/Makefile
@@ -54,11 +54,12 @@ LDFLAGS +=	$(MAPFILE.NGB:%=-Wl,-M%)
 # conditional assignments
 #
 lpfilter:=	LDLIBS += $(LIBFLT) $(LIBMSG) $(LIBACC) $(LIBOAM) $(LIBLP) \
-			-lgen -lsecdb
+			-lgen -lsecdb $(LDSTACKPROTECT)
 lpforms:=	LDLIBS += $(LIBFRM) $(LIBMSG) $(LIBREQ) $(LIBOAM) \
-			$(LIBACC) $(LIBLP) -lsecdb
-lpshut:=	LDLIBS += $(LIBMSG) $(LIBOAM) $(LIBLP)
-lpusers:=	LDLIBS += $(LIBMSG) $(LIBACC) $(LIBOAM) $(LIBUSR) $(LIBLP)
+			$(LIBACC) $(LIBLP) -lsecdb $(LDSTACKPROTECT)
+lpshut:=	LDLIBS += $(LIBMSG) $(LIBOAM) $(LIBLP) $(LDSTACKPROTECT)
+lpusers:=	LDLIBS += $(LIBMSG) $(LIBACC) $(LIBOAM) $(LIBUSR) $(LIBLP) \
+			$(LDSTACKPROTECT)
 
 .KEEP_STATE:
 
diff --git a/usr/src/cmd/lp/cmd/lpadmin/Makefile b/usr/src/cmd/lp/cmd/lpadmin/Makefile
index 4e2333ce29..ca2753b1e2 100644
--- a/usr/src/cmd/lp/cmd/lpadmin/Makefile
+++ b/usr/src/cmd/lp/cmd/lpadmin/Makefile
@@ -62,7 +62,7 @@ LPLIBS=		$(LIBACC)	\
 
 SYSLIBS=	-lcurses
 
-LDLIBS +=	-lsecdb $(LPLIBS) $(SYSLIBS) $(I18N)
+LDLIBS +=	-lsecdb $(LPLIBS) $(SYSLIBS) $(I18N) $(LDSTACKPROTECT)
 LDFLAGS +=	$(MAPFILE.NGB:%=-Wl,-M%)
 
 PROG=		lpadmin
diff --git a/usr/src/cmd/lp/cmd/lpsched/Makefile b/usr/src/cmd/lp/cmd/lpsched/Makefile
index c5c645ffe8..42628a4b9d 100644
--- a/usr/src/cmd/lp/cmd/lpsched/Makefile
+++ b/usr/src/cmd/lp/cmd/lpsched/Makefile
@@ -22,8 +22,6 @@
 # Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # cmd/lp/cmd/lpsched/lpsched/Makefile
 #
 
@@ -102,13 +100,13 @@ LPLIBS =			\
 
 SYSLIBS=	-lcurses -lgen -lcurses -lnsl -ltsol -lsecdb -lbsm
 
-LDLIBS +=	$(LPLIBS) $(SYSLIBS)
+LDLIBS +=	$(LPLIBS) $(SYSLIBS) $(LDSTACKPROTECT)
 
 POFILE=		lp_cmd_lpsched.po
 
 .KEEP_STATE:
 
-all:		$(PROG) 
+all:		$(PROG)
 
 $(PROG):	$(OBJS) $(LPLIBS)
 		$(LINK.c) $(OBJS) -o $@ $(LDLIBS)
diff --git a/usr/src/cmd/lp/model/Makefile b/usr/src/cmd/lp/model/Makefile
index 5da2ee6539..40840ecee0 100644
--- a/usr/src/cmd/lp/model/Makefile
+++ b/usr/src/cmd/lp/model/Makefile
@@ -19,8 +19,6 @@
 # CDDL HEADER END
 #
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
@@ -62,8 +60,8 @@ ROOTMODELS =		$(MODELS:%=$(ROOTLIBLPMODEL)/%)
 CPPFLAGS =		-I$(LPINC) $(CPPFLAGS.master)
 
 # conditional assignments
-lp.tell :=			LDLIBS += $(LIBMSG) $(LIBLP)
-lp.set drain.output lp.cat :=	LDLIBS += $(LIBLP) -lcurses
+lp.tell :=			LDLIBS += $(LIBMSG) $(LIBLP) $(LDSTACKPROTECT)
+lp.set drain.output lp.cat :=	LDLIBS += $(LIBLP) -lcurses $(LDSTACKPROTECT)
 lp.tsol_separator :=		LDLIBS += -ltsol
 
 $(ROOTMISC) :=		FILEMODE = 0444
diff --git a/usr/src/cmd/mdb/Makefile.kmdb b/usr/src/cmd/mdb/Makefile.kmdb
index be670d3fc6..0bbeaf5200 100644
--- a/usr/src/cmd/mdb/Makefile.kmdb
+++ b/usr/src/cmd/mdb/Makefile.kmdb
@@ -58,6 +58,11 @@ CFLAGS64 += $(STAND_FLAGS_64)
 
 ASFLAGS += -P -D_ASM $(INCDIRS:%=-I%) $(ARCHOPTS)
 
+#
+# kmdb has bootstrapping challenges with the stack protector.
+#
+STACKPROTECT = none
+
 SUBDIR64_sparc		= sparcv9
 SUBDIR64_i386		= amd64
 SUBDIR64		= $(SUBDIR64_$(MACH))
diff --git a/usr/src/cmd/mdb/Makefile.libstand b/usr/src/cmd/mdb/Makefile.libstand
index 9668bbaafb..279194a6ef 100644
--- a/usr/src/cmd/mdb/Makefile.libstand
+++ b/usr/src/cmd/mdb/Makefile.libstand
@@ -66,6 +66,12 @@ $(NOT_RELEASE_BUILD)CPPFLAGS += -DDEBUG
 CPPFLAGS = $(INCDIRS:%=-I%) -D_KMDB
 
 #
+# We cannot currently use the stack protector in kmdb's standalone
+# environment.
+#
+STACKPROTECT = none
+
+#
 # kmdb is a kernel module, so we'll use the kernel's build flags.
 CFLAGS64 += $(STAND_FLAGS_64)
 
diff --git a/usr/src/cmd/mdb/Makefile.libstandctf b/usr/src/cmd/mdb/Makefile.libstandctf
index 11e77bafcc..bab6231894 100644
--- a/usr/src/cmd/mdb/Makefile.libstandctf
+++ b/usr/src/cmd/mdb/Makefile.libstandctf
@@ -51,6 +51,12 @@ CSTD = $(CSTD_GNU99)
 C99LMODE = -Xc99=%all
 
 #
+# We cannot currently use the stack protector in the kmdb standalone
+# environment.
+#
+STACKPROTECT = none
+
+#
 # kmdb is a kernel module, so we'll use the kernel's build flags.
 CFLAGS64 += $(STAND_FLAGS_64)
 
diff --git a/usr/src/cmd/mdb/Makefile.module b/usr/src/cmd/mdb/Makefile.module
index e14e8f42a6..adf248993f 100644
--- a/usr/src/cmd/mdb/Makefile.module
+++ b/usr/src/cmd/mdb/Makefile.module
@@ -121,6 +121,7 @@ $(MODOBJS) :=	CFLAGS64 += $(C_BIGPICFLAGS) $(XREGSFLAG)
 $(KMODOBJS) :=	CPPFLAGS += -D_KMDB
 $(KMODOBJS) :=	V9CODESIZE = $(CCABS32)
 $(KMODOBJS) :=	DTS_ERRNO =
+$(KMODFILE) :=	STACKPROTECT = none
 
 # Modules aren't allowed to export symbols
 MAPFILE		= $(SRC)/cmd/mdb/common/modules/conf/mapfile
diff --git a/usr/src/cmd/picl/plugins/common/piclevent/Makefile b/usr/src/cmd/picl/plugins/common/piclevent/Makefile
index 1b0ad54ea2..c1e4c4702a 100644
--- a/usr/src/cmd/picl/plugins/common/piclevent/Makefile
+++ b/usr/src/cmd/picl/plugins/common/piclevent/Makefile
@@ -36,7 +36,7 @@ include $(SRC)/cmd/picl/plugins/Makefile.com
 MODULES = picl_slm.so
 MOD_SRCS = picl_slm.c
 MOD_OBJS = picl_slm.o
-MOD_LDLIBS = -L$(ROOT)/usr/lib -lsysevent -lnvpair -lc
+MOD_LDLIBS = -L$(ROOT)/usr/lib -lsysevent -lnvpair -lc $(LDSTACKPROTECT)
 
 # sysevent SLM dirs
 SYSEVENT = sysevent
diff --git a/usr/src/cmd/print/bsd-sysv-commands/Makefile b/usr/src/cmd/print/bsd-sysv-commands/Makefile
index f2b8c41230..2821e90db8 100644
--- a/usr/src/cmd/print/bsd-sysv-commands/Makefile
+++ b/usr/src/cmd/print/bsd-sysv-commands/Makefile
@@ -60,7 +60,7 @@ CPPFLAGS +=	-I.
 CPPFLAGS +=	-I../../../lib/print/libpapi-common/common
 CPPFLAGS +=	-I$(ROOT)/usr/include
 CPPFLAGS +=	-I../../lp/include
-LDLIBS +=	$(LIBLP) -lpapi -lc
+LDLIBS +=	$(LIBLP) $(LDSTACKPROTECT) -lpapi -lc
 in.lpd:=	CFLAGS +=	-DSOLARIS_PRIVATE_POST_0_9
 in.lpd:=	LDLIBS +=	-lnsl -lsocket
 
@@ -85,14 +85,14 @@ $(ROOTUSRUCB)/%:	$(ROOTUSRUCB) %
 $(ROOTLIBLPBIN)/%:	%
 	$(INS.file)
 
-$(ROOTUCBSYMLINKS):	
+$(ROOTUCBSYMLINKS):
 	$(RM) $@; $(SYMLINK) ../bin/$(@F) $@
 
 #	usr/lib links
 ROOTUSRLIBSYMLINKS =	$(SBINPROGS:%=$(ROOTLIB)/%)
 $(ROOTLIB)/%:	$(ROOTLIB) %
 
-$(ROOTUSRLIBSYMLINKS):	
+$(ROOTUSRLIBSYMLINKS):
 	$(RM) $@; $(SYMLINK) ../sbin/$(@F) $@
 
 .KEEP_STATE:
@@ -104,7 +104,7 @@ install:	$(ROOTLIBLPPROGS) \
 check:	$(CHKMANIFEST)
 
 clean:
-	$(RM) $(OBJS) 
+	$(RM) $(OBJS)
 
 CLOBBERFILES += $(BINPROGS) $(SBINPROGS) $(LIBPRINTPROGS)
 
diff --git a/usr/src/cmd/rcm_daemon/Makefile.com b/usr/src/cmd/rcm_daemon/Makefile.com
index a11c03bc4b..8267af63fc 100644
--- a/usr/src/cmd/rcm_daemon/Makefile.com
+++ b/usr/src/cmd/rcm_daemon/Makefile.com
@@ -135,7 +135,7 @@ SUNW_ip_rcm.so := LDLIBS_MODULES += -linetutil -ldladm -lipmp -lipadm -lnvpair -
 SUNW_ip_anon_rcm.so := LDLIBS_MODULES += -linetutil
 SUNW_bridge_rcm.so := LDLIBS_MODULES += -ldladm -lnvpair
 SUNW_mpxio_rcm.so := LDLIBS_MODULES += -ldevinfo
-LDLIBS_MODULES += -lrcm -lc
+LDLIBS_MODULES += -lrcm -lc $(LDSTACKPROTECT)
 
 LDLIBS += -lrcm -lnvpair
 
diff --git a/usr/src/cmd/sgs/libconv/Makefile.com b/usr/src/cmd/sgs/libconv/Makefile.com
index daffcfa01e..4cc0f5d8bc 100644
--- a/usr/src/cmd/sgs/libconv/Makefile.com
+++ b/usr/src/cmd/sgs/libconv/Makefile.com
@@ -120,3 +120,9 @@ MSGSRCS=	$(COMOBJS:%.o=../common/%.c) \
 SGSMSGTARG=	$(BLTOBJS:%_msg.o=../common/%.msg)
 
 CLEANFILES +=	$(BLTDATA) bld_vernote vernote.s
+
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
diff --git a/usr/src/cmd/sgs/rtld/Makefile.com b/usr/src/cmd/sgs/rtld/Makefile.com
index 853fd5066b..4b1a9a328d 100644
--- a/usr/src/cmd/sgs/rtld/Makefile.com
+++ b/usr/src/cmd/sgs/rtld/Makefile.com
@@ -154,3 +154,19 @@ SRCS=		$(AVLOBJ:%.o=$(VAR_AVLDIR)/%.c) \
 
 CLEANFILES +=	$(CRTS) $(BLTFILES)
 CLOBBERFILES +=	$(RTLD)
+
+#
+# We cannot currently enable the stack protector for rtld as it runs
+# before libc initializes, which is where we always enable the stack
+# protector values. Because rtld is likely on an alternate link map and
+# links in the relevant portions of libc through libc_pic.a, there is
+# probably a path to enabling an rtld specific version of the stack
+# protector.
+#
+# As a result, this currently disables the stack protector in two
+# related targets which really could use it. These are libconv and libc.
+# Both of these end up building position-independent archive libraries
+# that are directly linked into rtld. This situation can and should be
+# improved.
+#
+STACKPROTECT = none
diff --git a/usr/src/lib/Makefile.lib b/usr/src/lib/Makefile.lib
index fb16de1a17..2dab9d92c6 100644
--- a/usr/src/lib/Makefile.lib
+++ b/usr/src/lib/Makefile.lib
@@ -163,6 +163,13 @@ INS.liblink64=	-$(RM) $@; $(SYMLINK) $(LIBLINKPATH)$(LIBLINKS)$(VERS) $@
 INS.liblinkccc64= -$(RM) $@; $(SYMLINK) $(LIBLINKPATH)$(LIBLINKSCCC)$(VERS) $@
 
 #
+# Default to adding stack protection to all libraries.
+#
+CFLAGS +=	$(CCSTACKPROTECT)
+CFLAGS64 +=	$(CCSTACKPROTECT)
+LDLIBS +=	$(LDSTACKPROTECT)
+
+#
 # If appropriate, augment POST_PROCESS_O and POST_PROCESS_SO to do CTF
 # processing.  We'd like to just conditionally append to POST_PROCESS_O and
 # POST_PROCESS_SO, but ParallelMake has a bug which causes the same value to
diff --git a/usr/src/lib/libc/amd64/Makefile b/usr/src/lib/libc/amd64/Makefile
index 846b260cfd..717c549329 100644
--- a/usr/src/lib/libc/amd64/Makefile
+++ b/usr/src/lib/libc/amd64/Makefile
@@ -1202,6 +1202,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/i386/Makefile.com b/usr/src/lib/libc/i386/Makefile.com
index a45feed38a..a1c0297112 100644
--- a/usr/src/lib/libc/i386/Makefile.com
+++ b/usr/src/lib/libc/i386/Makefile.com
@@ -1267,6 +1267,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 pics/__clock_gettime.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 pics/gettimeofday.o := CPPFLAGS += $(COMMPAGE_CPPFLAGS)
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/sparc/Makefile.com b/usr/src/lib/libc/sparc/Makefile.com
index b2c0c36ef7..c699befe9c 100644
--- a/usr/src/lib/libc/sparc/Makefile.com
+++ b/usr/src/lib/libc/sparc/Makefile.com
@@ -1318,6 +1318,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparc_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libc/sparcv9/Makefile.com b/usr/src/lib/libc/sparcv9/Makefile.com
index a009541deb..120e164f62 100644
--- a/usr/src/lib/libc/sparcv9/Makefile.com
+++ b/usr/src/lib/libc/sparcv9/Makefile.com
@@ -1241,6 +1241,12 @@ pics/arc4random.o :=	CPPFLAGS += -I$(SRC)/common/crypto/chacha
 # Files which need extra optimization
 pics/getenv.o := sparcv9_COPTFLAG = -xO4
 
+#
+# Disable the stack protector due to issues with bootstrapping rtld. See
+# cmd/sgs/rtld/Makefile.com for more information.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
 
 all: $(LIBS) $(LIB_PIC)
diff --git a/usr/src/lib/libdisasm/Makefile.com b/usr/src/lib/libdisasm/Makefile.com
index 2173e5bb2c..e88d62335f 100644
--- a/usr/src/lib/libdisasm/Makefile.com
+++ b/usr/src/lib/libdisasm/Makefile.com
@@ -124,6 +124,12 @@ CERRWARN +=	$(CNOWARN_UNINIT)
 # not linted
 SMATCH=off
 
+#
+# The standalone environment currently does not support the stack
+# protector.
+#
+STACKPROTECT = none
+
 # We want the thread-specific errno in the library, but we don't want it in
 # the standalone.  $(DTS_ERRNO) is designed to add -D_TS_ERRNO to $(CPPFLAGS),
 # in order to enable this feature.  Conveniently, -D_REENTRANT does the same
diff --git a/usr/src/lib/libdtrace/Makefile.com b/usr/src/lib/libdtrace/Makefile.com
index 1016c8e295..4b42c96cdc 100644
--- a/usr/src/lib/libdtrace/Makefile.com
+++ b/usr/src/lib/libdtrace/Makefile.com
@@ -140,7 +140,7 @@ SMATCH=off
 YYCFLAGS =
 LDLIBS += -lgen -lproc -lrtld_db -lnsl -lsocket -lctf -lelf -lc
 DRTILDLIBS = $(LDLIBS.lib) -lc
-LIBDAUDITLIBS = $(LDLIBS.lib) -lmapmalloc -lc -lproc
+LIBDAUDITLIBS = $(LDLIBS.lib) -lmapmalloc -lc -lproc $(LDSTACKPROTECT)
 
 yydebug := YYCFLAGS += -DYYDEBUG
 
@@ -154,6 +154,14 @@ ROOTDLIBS = $(DLIBSRCS:%=$(ROOTDLIBDIR)/%)
 ROOTDOBJS = $(ROOTDLIBDIR)/$(DRTIOBJ) $(ROOTDLIBDIR)/$(LIBDAUDIT)
 ROOTDOBJS64 = $(ROOTDLIBDIR64)/$(DRTIOBJ) $(ROOTDLIBDIR64)/$(LIBDAUDIT)
 
+#
+# We do not build drti.o with the stack protector as otherwise
+# everything that uses dtrace -G may have a surprise stack protector
+# requirement right now. While in theory this could be handled by libc,
+# this will make the overall default transition smoother.
+#
+$(DRTIOBJ) := STACKPROTECT = none
+
 $(ROOTDLIBDIR)/%.d := FILEMODE=444
 $(ROOTDLIBDIR)/%.o := FILEMODE=444
 $(ROOTDLIBDIR64)/%.o :=	FILEMODE=444
diff --git a/usr/src/lib/libsaveargs/Makefile.com b/usr/src/lib/libsaveargs/Makefile.com
index 3f23249570..6e47b2839c 100644
--- a/usr/src/lib/libsaveargs/Makefile.com
+++ b/usr/src/lib/libsaveargs/Makefile.com
@@ -60,6 +60,12 @@ LINKTEST_OBJ = objs/linktest_stand.o
 CLOBBERFILES_standalone = $(LINKTEST_OBJ)
 CLOBBERFILES += $(CLOBBERFILES_$(CURTYPE))
 
+#
+# The standalone environment currently does not support the stack
+# protector.
+#
+$(STANDLIBRARY) := STACKPROTECT = none
+
 LIBS_standalone	= $(STANDLIBRARY)
 LIBS_library = $(DYNLIB)
 LIBS = $(LIBS_$(CURTYPE))
diff --git a/usr/src/lib/libumem/Makefile.com b/usr/src/lib/libumem/Makefile.com
index 876940f995..aabff24f69 100644
--- a/usr/src/lib/libumem/Makefile.com
+++ b/usr/src/lib/libumem/Makefile.com
@@ -155,6 +155,12 @@ CFLAGS += $(CFLAGS_$(CURTYPE)) $(CFLAGS_common)
 CFLAGS64_standalone = $(STAND_FLAGS_64)
 CFLAGS64 += $(CCVERBOSE) $(CFLAGS64_$(CURTYPE)) $(CFLAGS64_common)
 
+#
+# For the standalone environment, disable the stack protector for the
+# time being.
+#
+$(STANDLIBRARY) := STACKPROTECT = none
+
 # false positive for umem_alloc_sizes_add()
 pics/umem.o := SMOFF += index_overflow
 objs/umem.o := SMOFF += index_overflow
diff --git a/usr/src/lib/ssp_ns/Makefile.com b/usr/src/lib/ssp_ns/Makefile.com
index 5ff9bbd913..aaa9aa52a9 100644
--- a/usr/src/lib/ssp_ns/Makefile.com
+++ b/usr/src/lib/ssp_ns/Makefile.com
@@ -30,6 +30,12 @@ LIBS =		$(LIBRARY)
 SRCDIR =	../common
 CFLAGS +=	$($(MACH)_C_PICFLAGS)
 
+#
+# Disable stack protection for the things providing the stack
+# protection.
+#
+STACKPROTECT = none
+
 CLOBBERFILES +=	$(LIBRARY)
 
 .KEEP_STATE:
diff --git a/usr/src/stand/lib/Makefile.com b/usr/src/stand/lib/Makefile.com
index 3c90551d8c..e5b9d21909 100644
--- a/usr/src/stand/lib/Makefile.com
+++ b/usr/src/stand/lib/Makefile.com
@@ -137,4 +137,10 @@ DHCPCPPFLAGS = -I$(CMNNETDIR)/dhcp
 #
 SOCKCPPFLAGS = -I$(STANDDIR)/lib/sock -D_SYS_STREAM_H
 
+#
+# Using Makefile.lib pulls in the stack protector. Explicitly disable it
+# as it is not initialized or supported in this environment currently.
+#
+STACKPROTECT = none
+
 .KEEP_STATE:
diff --git a/usr/src/tools/Makefile.tools b/usr/src/tools/Makefile.tools
index aeb9449af3..9fd747751d 100644
--- a/usr/src/tools/Makefile.tools
+++ b/usr/src/tools/Makefile.tools
@@ -63,6 +63,13 @@ LDFLAGS=		$(MAPFILE.NES:%=-Wl,-M%) $(MAPFILE.NED:%=-Wl,-M%) \
 # tools.
 GSHARED = -_cc=-G -_gcc=-shared
 
+#
+# To work around a bootstrapping problem, we don't assume that the
+# compiler or environment are properly configured to make the stack
+# protector work. Disable it right now for the tools.
+#
+STACKPROTECT = none
+
 # Unset CW_LINKER so we run the default.  We don't set LD here to avoid taking
 # the journey through LD_ALTEXEC unnecessarily.
 CW_LINKER=
diff --git a/usr/src/uts/intel/Makefile.intel b/usr/src/uts/intel/Makefile.intel
index 64e027fe15..dd614a82a2 100644
--- a/usr/src/uts/intel/Makefile.intel
+++ b/usr/src/uts/intel/Makefile.intel
@@ -128,36 +128,6 @@ CFLAGS			+= $(SPACEFLAG)
 CFLAGS			+= $(CCUNBOUND)
 CFLAGS			+= $(CFLAGS_uts)
 CFLAGS			+= -xstrconst
-
-#
-# Options to control which version of stack-protector we enable. This
-# gives us a bit of flexibility and is unfortunately necessary as some
-# modules do not function correctly with our defaults (qede).
-#
-#  o STACKPROTECT_		Sets the appropriate version for the compiler
-#  o STACKPROTECT_strong	Sets us to use strong on all of the
-#				compilers it supports. This is the same
-#				as the default.
-#
-#  o STACKPROTECT_none		Disables the stack protector.
-#
-#  o STACKPROTECT_all		Enables it for everything.
-#
-#  o STACKPROTECT_basic		Enables the basic stack protector.
-#
-# -fstack-protector-strong is not available in our gcc4 which is why we
-# have per-compiler versions below.
-#
-STACKPROTECT_		= -_gcc4=-fstack-protector
-STACKPROTECT_		+= -_gcc7=-fstack-protector-strong
-STACKPROTECT_		+= -_gcc8=-fstack-protector-strong
-STACKPROTECT_		+= -_gcc9=-fstack-protector-strong
-
-STACKPROTECT_strong	= $(STACKPROTECT_)
-STACKPROTECT_none	= -_gcc=-fstack-protector-none
-STACKPROTECT_all	= -_gcc=-fstack-protector-all
-STACKPROTECT_basic	= -_gcc=-fstack-protector
-
 CFLAGS			+= $(STACKPROTECT_$(STACKPROTECT))
 
 ASFLAGS_XARCH_32	= $(i386_ASFLAGS)