diff options
author | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
---|---|---|
committer | khorben <khorben@pkgsrc.org> | 2016-03-11 23:03:31 +0000 |
commit | 35e1364464de032ec92a94132037a96e202159d4 (patch) | |
tree | a31436d9533c1541a49db35aa9ff8a012a2ddaf2 /mk/platform | |
parent | 6a553fa6bb9755be90e94f865fa347ffbbf4b44f (diff) | |
download | pkgsrc-35e1364464de032ec92a94132037a96e202159d4.tar.gz |
Add support for a number of security features
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Diffstat (limited to 'mk/platform')
-rw-r--r-- | mk/platform/NetBSD.mk | 40 | ||||
-rw-r--r-- | mk/platform/SunOS.mk | 10 |
2 files changed, 37 insertions, 13 deletions
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk index c2666e2df37..d5270fedc05 100644 --- a/mk/platform/NetBSD.mk +++ b/mk/platform/NetBSD.mk @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.mk,v 1.46 2016/03/10 16:58:19 jperkin Exp $ +# $NetBSD: NetBSD.mk,v 1.47 2016/03/11 23:03:31 khorben Exp $ # # Variable definitions for the NetBSD operating system. @@ -123,19 +123,35 @@ FFLAGS+= -mieee PKG_HAVE_KQUEUE= # defined .endif -.if ${PKGSRC_USE_FORT:Uno} != "no" -# build with fortify -_GCC_CFLAGS+= -D_FORTIFY_SOURCE=2 +# Register support for FORTIFY where supported (with GCC) +_OPSYS_SUPPORTS_FORTIFY=yes +_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 + +# Register support for PIE on supported architectures (with GCC) +.if (${MACHINE_ARCH} == "i386") || \ + (${MACHINE_ARCH} == "x86_64") +_OPSYS_SUPPORTS_MKPIE= yes +_MKPIE_CFLAGS.gcc= -fPIC +# XXX for executables it should be: +#_MKPIE_CFLAGS.gcc= -fPIE +# XXX for libraries a sink wrapper around gcc is required and used instead +#_MKPIE_LDFLAGS.gcc= -pie .endif -.if ${PKGSRC_USE_SSP:Uno} != "no" -. if (${MACHINE_ARCH} != "alpha") && \ - (${MACHINE_ARCH} != "hppa") && \ - (${MACHINE_ARCH} != "ia64") && \ - (${MACHINE_ARCH} != "mips") -# build with stack protection (with GCC) -_GCC_CFLAGS+= -fstack-protector -. endif +# Register support for RELRO on supported architectures (with GCC) +.if (${MACHINE_ARCH} == "i386") || \ + (${MACHINE_ARCH} == "x86_64") +_OPSYS_SUPPORTS_RELRO= yes +_RELRO_LDFLAGS.gcc= -Wl,-z,relro -Wl,-z,now +.endif + +# Register support for SSP on most architectures (with GCC) +.if (${MACHINE_ARCH} != "alpha") && \ + (${MACHINE_ARCH} != "hppa") && \ + (${MACHINE_ARCH} != "ia64") && \ + (${MACHINE_ARCH} != "mips") +_OPSYS_SUPPORTS_SSP= yes +_SSP_CFLAGS.gcc= -fstack-protector-all .endif _OPSYS_CAN_CHECK_SHLIBS= yes # use readelf in check/bsd.check-vars.mk diff --git a/mk/platform/SunOS.mk b/mk/platform/SunOS.mk index 024037da3e8..6c6d1ffe0fe 100644 --- a/mk/platform/SunOS.mk +++ b/mk/platform/SunOS.mk @@ -1,4 +1,4 @@ -# $NetBSD: SunOS.mk,v 1.69 2016/03/11 22:04:34 fhajny Exp $ +# $NetBSD: SunOS.mk,v 1.70 2016/03/11 23:03:31 khorben Exp $ # # Variable definitions for the SunOS/Solaris operating system. @@ -111,6 +111,14 @@ _OPSYS_SYSTEM_RPATH?= /lib${LIBABISUFFIX}:/usr/lib${LIBABISUFFIX} _OPSYS_LIB_DIRS?= /lib${LIBABISUFFIX} /usr/lib${LIBABISUFFIX} _OPSYS_INCLUDE_DIRS?= /usr/include +# support FORTIFY (with GCC) +_OPSYS_SUPPORTS_FORTIFY=yes +_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 + +# support stack protection (with GCC) +_OPSYS_SUPPORTS_SSP= yes +_SSP_CFLAGS.gcc= -fstack-protector + _OPSYS_CAN_CHECK_SHLIBS= yes # requires readelf # check for maximum command line length and set it in configure's environment, |