diff options
author | khorben <khorben@pkgsrc.org> | 2017-07-05 15:58:30 +0000 |
---|---|---|
committer | khorben <khorben@pkgsrc.org> | 2017-07-05 15:58:30 +0000 |
commit | 07b079424d11069ebb3d6d608d1766f66741ed55 (patch) | |
tree | 9f1b2aa786ce0510b0953c24a250ee96d92526eb /mk | |
parent | 6d34e9d43a95795710b44ac3cecfda656d4952e1 (diff) | |
download | pkgsrc-07b079424d11069ebb3d6d608d1766f66741ed55.tar.gz |
Enable both SSP and FORTIFY by default
This is only actually in use where known supported.
Prepared for a while, also the default in the base system (for NetBSD and
numerous others), introduced on mailing-lists and in my talk "Hardening
pkgsrc", and finally accepted unanimously during pkgsrcCon 2017.
Used by Joyent already (according to jperkin@) and tested in EdgeBSD for a
couple years now (amd64 and i386).
Diffstat (limited to 'mk')
-rw-r--r-- | mk/defaults/mk.conf | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf index db2155ff6c0..42644caab8c 100644 --- a/mk/defaults/mk.conf +++ b/mk/defaults/mk.conf @@ -1,4 +1,4 @@ -# $NetBSD: mk.conf,v 1.276 2017/06/23 15:44:06 schmonz Exp $ +# $NetBSD: mk.conf,v 1.277 2017/07/05 15:58:30 khorben Exp $ # # This file provides default values for variables that may be overridden @@ -231,7 +231,7 @@ PKGSRC_MKPIE?= no # Possible: yes, no # Default: no -PKGSRC_USE_FORTIFY?= no +PKGSRC_USE_FORTIFY?= strong # Turns on substitute wrappers for commonly used functions that do not bounds # checking regularly, but could in some cases. This is effectively in use only # when both enabled and supported. @@ -239,7 +239,7 @@ PKGSRC_USE_FORTIFY?= no # no: Do not pass any flags for FORTIFY # weak: Pass -D_FORTIFY_SOURCE=1 # strong: Pass -D_FORTIFY_SOURCE=2 -# Default: no +# Default: strong PKGSRC_USE_RELRO?= no # Link with RELRO by default (on supported platforms). This makes the @@ -249,14 +249,14 @@ PKGSRC_USE_RELRO?= no # partial: Pass -Wl,-z,relro # full: Pass -Wl,-z,relro -Wl,-z,now -PKGSRC_USE_SSP?= no +PKGSRC_USE_SSP?= yes # Configure this to enable stack smashing protection (on supported platforms). # Possible values: # no: Do not pass any stack protection flags # yes: Pass -fstack-protector # strong: Pass -fstack-protector-strong # all: Pass -fstack-protector-all -# Default: no +# Default: yes # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below. # Please add your platform here once you have confirmed it is correct |