diff options
| author | khorben <khorben> | 2016-03-11 23:03:31 +0000 |
|---|---|---|
| committer | khorben <khorben> | 2016-03-11 23:03:31 +0000 |
| commit | 2af1bf53dbb298b78b125bf7a8ceaefc194836a6 (patch) | |
| tree | a31436d9533c1541a49db35aa9ff8a012a2ddaf2 /mk/bsd.prefs.mk | |
| parent | 6f6d46fae15aeafd505ed711dd7f9e05021665de (diff) | |
| download | pkgsrc-2af1bf53dbb298b78b125bf7a8ceaefc194836a6.tar.gz | |
Add support for a number of security features
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Diffstat (limited to 'mk/bsd.prefs.mk')
| -rw-r--r-- | mk/bsd.prefs.mk | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk index bba380a197c..a3686851292 100644 --- a/mk/bsd.prefs.mk +++ b/mk/bsd.prefs.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.prefs.mk,v 1.379 2016/03/11 05:42:35 tnn Exp $ +# $NetBSD: bsd.prefs.mk,v 1.380 2016/03/11 23:03:31 khorben Exp $ # # This file includes the mk.conf file, which contains the user settings. # @@ -709,6 +709,35 @@ _USE_CWRAPPERS= yes _USE_CWRAPPERS= no .endif +_PKGSRC_MKPIE= no +.if (${PKGSRC_MKPIE:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes") +_PKGSRC_MKPIE= yes +_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc} +_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc} +.endif + +_PKGSRC_USE_FORTIFY= no +.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes") +_PKGSRC_USE_FORTIFY= yes +_GCC_CFLAGS+= ${_FORTIFY_CFLAGS.gcc} +.endif + +_PKGSRC_USE_RELRO= no +.if (${PKGSRC_USE_RELRO:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes") +_PKGSRC_USE_RELRO= yes +_GCC_LDFLAGS+= ${_RELRO_LDFLAGS.gcc} +.endif + +_PKGSRC_USE_SSP= no +.if (${PKGSRC_USE_SSP:tl} == "yes") && \ + (${_OPSYS_SUPPORTS_SSP:Uno} == "yes") +_PKGSRC_USE_SSP= yes +_GCC_CFLAGS+= ${_SSP_CFLAGS.gcc} +.endif + # Wrapper framework definitions .include "wrapper/wrapper-defs.mk" |