diff options
| author | jperkin <jperkin@pkgsrc.org> | 2016-06-13 13:26:42 +0000 |
|---|---|---|
| committer | jperkin <jperkin@pkgsrc.org> | 2016-06-13 13:26:42 +0000 |
| commit | 274901689840eafa9fef0367d9be1470189e37a8 (patch) | |
| tree | bbe359d215c3a7d456cf70f23ee4915316550e21 /mk/compiler | |
| parent | fe94fd67f5bd1d76c0705c2e447de86217d0bdc7 (diff) | |
| download | pkgsrc-274901689840eafa9fef0367d9be1470189e37a8.tar.gz | |
Change PKGSRC_USE_SSP to a quad option. The options are now:
"no" Do not pass any stack protection flags (the default)
"yes" Pass -fstack-protector
"strong" Pass -fstack-protector-strong
"all" Pass -fstack-protector-all
This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms. Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.
While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.
Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.
Diffstat (limited to 'mk/compiler')
| -rw-r--r-- | mk/compiler/gcc.mk | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk index af93b08d14f..c92441b0a1e 100644 --- a/mk/compiler/gcc.mk +++ b/mk/compiler/gcc.mk @@ -1,4 +1,4 @@ -# $NetBSD: gcc.mk,v 1.167 2016/04/11 04:22:34 dbj Exp $ +# $NetBSD: gcc.mk,v 1.168 2016/06/13 13:26:42 jperkin Exp $ # # This is the compiler definition for the GNU Compiler Collection. # @@ -346,12 +346,10 @@ _MKPIE_CFLAGS.gcc= -fPIC # XXX for libraries a sink wrapper around gcc is required and used instead #_MKPIE_LDFLAGS.gcc= -pie _RELRO_LDFLAGS.gcc= -Wl,-z,relro -Wl,-z,now -_SSP_CFLAGS.gcc= -fstack-protector-all .endif .if ${OPSYS} == "SunOS" _FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 -_SSP_CFLAGS.gcc= -fstack-protector .endif .if ${_PKGSRC_MKPIE} == "yes" @@ -372,9 +370,21 @@ _GCC_LDFLAGS+= ${_RELRO_LDFLAGS.gcc} CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS.gcc} .endif +# The user can choose the level of stack smashing protection. +.if ${PKGSRC_USE_SSP} == "all" +_SSP_CFLAGS= -fstack-protector-all +.elif ${PKGSRC_USE_SSP} == "strong" +_SSP_CFLAGS= -fstack-protector-strong +.else +_SSP_CFLAGS= -fstack-protector +.endif + .if ${_PKGSRC_USE_SSP} == "yes" -_GCC_CFLAGS+= ${_SSP_CFLAGS.gcc} -CWRAPPERS_APPEND.cc+= ${_SSP_CFLAGS.gcc} +_WRAP_EXTRA_ARGS.CC+= ${_SSP_CFLAGS} +_WRAP_EXTRA_ARGS.CXX+= ${_SSP_CFLAGS} +CWRAPPERS_APPEND.cc+= ${_SSP_CFLAGS} +CWRAPPERS_APPEND.cxx+= ${_SSP_CFLAGS} +CWRAPPERS_APPEND.f77+= ${_SSP_CFLAGS} .endif # GCC has this annoying behaviour where it advocates in a multi-line |