diff options
| author | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
|---|---|---|
| committer | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
| commit | 35e1364464de032ec92a94132037a96e202159d4 (patch) | |
| tree | a31436d9533c1541a49db35aa9ff8a012a2ddaf2 /mk/compiler | |
| parent | 6a553fa6bb9755be90e94f865fa347ffbbf4b44f (diff) | |
| download | pkgsrc-35e1364464de032ec92a94132037a96e202159d4.tar.gz | |
Add support for a number of security features
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Diffstat (limited to 'mk/compiler')
| -rw-r--r-- | mk/compiler/gcc.mk | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk index e0f73858081..1a575feffe3 100644 --- a/mk/compiler/gcc.mk +++ b/mk/compiler/gcc.mk @@ -1,4 +1,4 @@ -# $NetBSD: gcc.mk,v 1.164 2016/03/02 18:45:21 jperkin Exp $ +# $NetBSD: gcc.mk,v 1.165 2016/03/11 23:03:31 khorben Exp $ # # This is the compiler definition for the GNU Compiler Collection. # @@ -338,6 +338,24 @@ _WRAP_EXTRA_ARGS.CC+= -std=gnu99 CWRAPPERS_APPEND.cc+= -std=gnu99 .endif +.if ${_PKGSRC_MKPIE} == "yes" +CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc} +# XXX this differs for libraries and executables +# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_FORTIFY} == "yes" +CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_RELRO} == "yes" +CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS.gcc} +.endif + +.if ${_PKGSRC_USE_SSP} == "yes" +CWRAPPERS_APPEND.cc+= ${_SSP_CFLAGS.gcc} +.endif + # GCC has this annoying behaviour where it advocates in a multi-line # banner the use of "#include" over "#import" when including headers. # This generates a huge number of warnings when building practically all @@ -713,9 +731,10 @@ _GCC_LDFLAGS= # empty . for _dir_ in ${_GCC_LIBDIRS:N*not_found*} _GCC_LDFLAGS+= -L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_} . endfor -LDFLAGS+= ${_GCC_LDFLAGS} .endif +LDFLAGS+= ${_GCC_LDFLAGS} + # Point the variables that specify the compiler to the installed # GCC executables. # |