Add support for a number of security features

- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
  of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
  is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
  from functioning.

Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).

Tested on SunOS by jperkin@, thank you!

As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.

ok bsiegert@

2 files changed, 37 insertions, 13 deletions

diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index c2666e2df37..d5270fedc05 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.mk,v 1.46 2016/03/10 16:58:19 jperkin Exp $
+# $NetBSD: NetBSD.mk,v 1.47 2016/03/11 23:03:31 khorben Exp $
 #
 # Variable definitions for the NetBSD operating system.
 
@@ -123,19 +123,35 @@ FFLAGS+=	-mieee
 PKG_HAVE_KQUEUE=	# defined
 .endif
 
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-# build with fortify
-_GCC_CFLAGS+=	-D_FORTIFY_SOURCE=2
+# Register support for FORTIFY where supported (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
+
+# Register support for PIE on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+    (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_MKPIE=	yes
+_MKPIE_CFLAGS.gcc=	-fPIC
+# XXX for executables it should be:
+#_MKPIE_CFLAGS.gcc=	-fPIE
+# XXX for libraries a sink wrapper around gcc is required and used instead
+#_MKPIE_LDFLAGS.gcc=	-pie
 .endif
 
-.if ${PKGSRC_USE_SSP:Uno} != "no"
-. if (${MACHINE_ARCH} != "alpha") && \
-	(${MACHINE_ARCH} != "hppa") && \
-	(${MACHINE_ARCH} != "ia64") && \
-	(${MACHINE_ARCH} != "mips")
-# build with stack protection (with GCC)
-_GCC_CFLAGS+=	-fstack-protector
-. endif
+# Register support for RELRO on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+    (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_RELRO=	yes
+_RELRO_LDFLAGS.gcc=	-Wl,-z,relro -Wl,-z,now
+.endif
+
+# Register support for SSP on most architectures (with GCC)
+.if (${MACHINE_ARCH} != "alpha") && \
+    (${MACHINE_ARCH} != "hppa") && \
+    (${MACHINE_ARCH} != "ia64") && \
+    (${MACHINE_ARCH} != "mips")
+_OPSYS_SUPPORTS_SSP=	yes
+_SSP_CFLAGS.gcc=	-fstack-protector-all
 .endif
 
 _OPSYS_CAN_CHECK_SHLIBS=	yes # use readelf in check/bsd.check-vars.mk
diff --git a/mk/platform/SunOS.mk b/mk/platform/SunOS.mk
index 024037da3e8..6c6d1ffe0fe 100644
--- a/mk/platform/SunOS.mk
+++ b/mk/platform/SunOS.mk
@@ -1,4 +1,4 @@
-# $NetBSD: SunOS.mk,v 1.69 2016/03/11 22:04:34 fhajny Exp $
+# $NetBSD: SunOS.mk,v 1.70 2016/03/11 23:03:31 khorben Exp $
 #
 # Variable definitions for the SunOS/Solaris operating system.
 
@@ -111,6 +111,14 @@ _OPSYS_SYSTEM_RPATH?=	/lib${LIBABISUFFIX}:/usr/lib${LIBABISUFFIX}
 _OPSYS_LIB_DIRS?=	/lib${LIBABISUFFIX} /usr/lib${LIBABISUFFIX}
 _OPSYS_INCLUDE_DIRS?=	/usr/include
 
+# support FORTIFY (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
+
+# support stack protection (with GCC)
+_OPSYS_SUPPORTS_SSP=	yes
+_SSP_CFLAGS.gcc=	-fstack-protector
+
 _OPSYS_CAN_CHECK_SHLIBS=	yes # requires readelf
 
 # check for maximum command line length and set it in configure's environment,