summaryrefslogtreecommitdiff
path: root/mk
diff options
context:
space:
mode:
authorkhorben <khorben@pkgsrc.org>2016-03-11 23:03:31 +0000
committerkhorben <khorben@pkgsrc.org>2016-03-11 23:03:31 +0000
commit35e1364464de032ec92a94132037a96e202159d4 (patch)
treea31436d9533c1541a49db35aa9ff8a012a2ddaf2 /mk
parent6a553fa6bb9755be90e94f865fa347ffbbf4b44f (diff)
downloadpkgsrc-35e1364464de032ec92a94132037a96e202159d4.tar.gz
Add support for a number of security features
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc; - PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY is enabled; - PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR) - PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits from functioning. Tested on NetBSD/amd64 by myself, in every combination, with and without pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers. Also, MKPIE is known to still break a number of packages when enabled (and actually supported). Tested on SunOS by jperkin@, thank you! As discussed on tech-pkg@, the default behavior is not changed, except where noted above. ok bsiegert@
Diffstat (limited to 'mk')
-rw-r--r--mk/bsd.prefs.mk31
-rw-r--r--mk/compiler/gcc.mk23
-rw-r--r--mk/defaults/mk.conf28
-rw-r--r--mk/platform/NetBSD.mk40
-rw-r--r--mk/platform/SunOS.mk10
-rw-r--r--mk/wrapper/arg-source8
-rw-r--r--mk/wrapper/bsd.wrapper.mk6
-rw-r--r--mk/wrapper/cmd-sink-mkpie-gcc47
-rw-r--r--mk/wrapper/transform-gcc11
9 files changed, 176 insertions, 28 deletions
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk
index bba380a197c..a3686851292 100644
--- a/mk/bsd.prefs.mk
+++ b/mk/bsd.prefs.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.379 2016/03/11 05:42:35 tnn Exp $
+# $NetBSD: bsd.prefs.mk,v 1.380 2016/03/11 23:03:31 khorben Exp $
#
# This file includes the mk.conf file, which contains the user settings.
#
@@ -709,6 +709,35 @@ _USE_CWRAPPERS= yes
_USE_CWRAPPERS= no
.endif
+_PKGSRC_MKPIE= no
+.if (${PKGSRC_MKPIE:tl} == "yes") && \
+ (${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes")
+_PKGSRC_MKPIE= yes
+_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc}
+_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_FORTIFY= no
+.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \
+ (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
+_PKGSRC_USE_FORTIFY= yes
+_GCC_CFLAGS+= ${_FORTIFY_CFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_RELRO= no
+.if (${PKGSRC_USE_RELRO:tl} == "yes") && \
+ (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes")
+_PKGSRC_USE_RELRO= yes
+_GCC_LDFLAGS+= ${_RELRO_LDFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_SSP= no
+.if (${PKGSRC_USE_SSP:tl} == "yes") && \
+ (${_OPSYS_SUPPORTS_SSP:Uno} == "yes")
+_PKGSRC_USE_SSP= yes
+_GCC_CFLAGS+= ${_SSP_CFLAGS.gcc}
+.endif
+
# Wrapper framework definitions
.include "wrapper/wrapper-defs.mk"
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index e0f73858081..1a575feffe3 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.164 2016/03/02 18:45:21 jperkin Exp $
+# $NetBSD: gcc.mk,v 1.165 2016/03/11 23:03:31 khorben Exp $
#
# This is the compiler definition for the GNU Compiler Collection.
#
@@ -338,6 +338,24 @@ _WRAP_EXTRA_ARGS.CC+= -std=gnu99
CWRAPPERS_APPEND.cc+= -std=gnu99
.endif
+.if ${_PKGSRC_MKPIE} == "yes"
+CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc}
+# XXX this differs for libraries and executables
+# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc}
+.endif
+
+.if ${_PKGSRC_USE_FORTIFY} == "yes"
+CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS.gcc}
+.endif
+
+.if ${_PKGSRC_USE_RELRO} == "yes"
+CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS.gcc}
+.endif
+
+.if ${_PKGSRC_USE_SSP} == "yes"
+CWRAPPERS_APPEND.cc+= ${_SSP_CFLAGS.gcc}
+.endif
+
# GCC has this annoying behaviour where it advocates in a multi-line
# banner the use of "#include" over "#import" when including headers.
# This generates a huge number of warnings when building practically all
@@ -713,9 +731,10 @@ _GCC_LDFLAGS= # empty
. for _dir_ in ${_GCC_LIBDIRS:N*not_found*}
_GCC_LDFLAGS+= -L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_}
. endfor
-LDFLAGS+= ${_GCC_LDFLAGS}
.endif
+LDFLAGS+= ${_GCC_LDFLAGS}
+
# Point the variables that specify the compiler to the installed
# GCC executables.
#
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 4d6e883bc91..568b72a6fa7 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.262 2016/01/24 16:14:44 jperkin Exp $
+# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $
#
# This file provides default values for variables that may be overridden
@@ -215,20 +215,30 @@ PKGSRC_RUN_TEST?= no
# Possible: yes, no
# Default: no
-PKGSRC_USE_FORT?= no
+PKGSRC_MKPIE?= no
+# If no, create regular executables. Otherwise create PIE (Position Independent
+# Executables, on supported platforms). This option is necessary to fully
+# leverage ASLR as a mitigation for security vulnerabilities.
+# Possible: yes, no
+# Default: no
+
+PKGSRC_USE_FORTIFY?= no
# Turns on substitute wrappers for commonly used functions that do not bounds
-# checking regularly, but could in some cases (with GCC for instance).
+# checking regularly, but could in some cases. This is effectively in use only
+# when both enabled and supported.
+# Possible: yes, no
+# Default: no
+
+PKGSRC_USE_RELRO?= no
+# Link with RELRO by default (on supported platforms). This makes the
+# exploitation of some security vulnerabilities more difficult in some cases.
# Possible: yes, no
# Default: no
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-PKGSRC_USE_SSP?= yes
-.else
PKGSRC_USE_SSP?= no
-.endif
-# Set this to YES to enable stack-smashing protection (on supported platforms).
+# Set this to yes to enable stack-smashing protection (on supported platforms).
# Possible: yes, no
-# Default: no, except if PKGSRC_USE_FORT is set to "yes".
+# Default: no
# The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below.
# Please add your platform here once you have confirmed it is correct
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index c2666e2df37..d5270fedc05 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.mk,v 1.46 2016/03/10 16:58:19 jperkin Exp $
+# $NetBSD: NetBSD.mk,v 1.47 2016/03/11 23:03:31 khorben Exp $
#
# Variable definitions for the NetBSD operating system.
@@ -123,19 +123,35 @@ FFLAGS+= -mieee
PKG_HAVE_KQUEUE= # defined
.endif
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-# build with fortify
-_GCC_CFLAGS+= -D_FORTIFY_SOURCE=2
+# Register support for FORTIFY where supported (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2
+
+# Register support for PIE on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+ (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_MKPIE= yes
+_MKPIE_CFLAGS.gcc= -fPIC
+# XXX for executables it should be:
+#_MKPIE_CFLAGS.gcc= -fPIE
+# XXX for libraries a sink wrapper around gcc is required and used instead
+#_MKPIE_LDFLAGS.gcc= -pie
.endif
-.if ${PKGSRC_USE_SSP:Uno} != "no"
-. if (${MACHINE_ARCH} != "alpha") && \
- (${MACHINE_ARCH} != "hppa") && \
- (${MACHINE_ARCH} != "ia64") && \
- (${MACHINE_ARCH} != "mips")
-# build with stack protection (with GCC)
-_GCC_CFLAGS+= -fstack-protector
-. endif
+# Register support for RELRO on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+ (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_RELRO= yes
+_RELRO_LDFLAGS.gcc= -Wl,-z,relro -Wl,-z,now
+.endif
+
+# Register support for SSP on most architectures (with GCC)
+.if (${MACHINE_ARCH} != "alpha") && \
+ (${MACHINE_ARCH} != "hppa") && \
+ (${MACHINE_ARCH} != "ia64") && \
+ (${MACHINE_ARCH} != "mips")
+_OPSYS_SUPPORTS_SSP= yes
+_SSP_CFLAGS.gcc= -fstack-protector-all
.endif
_OPSYS_CAN_CHECK_SHLIBS= yes # use readelf in check/bsd.check-vars.mk
diff --git a/mk/platform/SunOS.mk b/mk/platform/SunOS.mk
index 024037da3e8..6c6d1ffe0fe 100644
--- a/mk/platform/SunOS.mk
+++ b/mk/platform/SunOS.mk
@@ -1,4 +1,4 @@
-# $NetBSD: SunOS.mk,v 1.69 2016/03/11 22:04:34 fhajny Exp $
+# $NetBSD: SunOS.mk,v 1.70 2016/03/11 23:03:31 khorben Exp $
#
# Variable definitions for the SunOS/Solaris operating system.
@@ -111,6 +111,14 @@ _OPSYS_SYSTEM_RPATH?= /lib${LIBABISUFFIX}:/usr/lib${LIBABISUFFIX}
_OPSYS_LIB_DIRS?= /lib${LIBABISUFFIX} /usr/lib${LIBABISUFFIX}
_OPSYS_INCLUDE_DIRS?= /usr/include
+# support FORTIFY (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2
+
+# support stack protection (with GCC)
+_OPSYS_SUPPORTS_SSP= yes
+_SSP_CFLAGS.gcc= -fstack-protector
+
_OPSYS_CAN_CHECK_SHLIBS= yes # requires readelf
# check for maximum command line length and set it in configure's environment,
diff --git a/mk/wrapper/arg-source b/mk/wrapper/arg-source
index 9336414edbf..476de2de56b 100644
--- a/mk/wrapper/arg-source
+++ b/mk/wrapper/arg-source
@@ -1,4 +1,4 @@
-# $NetBSD: arg-source,v 1.16 2015/11/20 05:49:24 richard Exp $
+# $NetBSD: arg-source,v 1.17 2016/03/11 23:03:31 khorben Exp $
#
# Copyright (c) 2004 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -161,6 +161,12 @@ while $test $# -gt 0; do
##############################################################
-c|-S|-E)
dont_link=yes
+ dont_link_binary=yes
+ append_queue argbuf "$arg"
+ $debug_log $wrapperlog " (arg-source) push: $arg"
+ ;;
+ -shared)
+ dont_link_binary=yes
append_queue argbuf "$arg"
$debug_log $wrapperlog " (arg-source) push: $arg"
;;
diff --git a/mk/wrapper/bsd.wrapper.mk b/mk/wrapper/bsd.wrapper.mk
index 67d90d0fff2..887db29a08d 100644
--- a/mk/wrapper/bsd.wrapper.mk
+++ b/mk/wrapper/bsd.wrapper.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.96 2016/03/04 21:25:47 tnn Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.97 2016/03/11 23:03:31 khorben Exp $
#
# Copyright (c) 2005 The NetBSD Foundation, Inc.
# All rights reserved.
@@ -311,6 +311,9 @@ _WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC}
.if !empty(PKGSRC_COMPILER:Mgcc)
_WRAP_TRANSFORM.CC= ${WRAPPER_TMPDIR}/transform-gcc
_WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC}
+. if ${_PKGSRC_MKPIE} != "no"
+_WRAP_CMD_SINK.CC= ${WRAPPER_TMPDIR}/cmd-sink-mkpie-gcc
+. endif
.endif
_WRAP_CMD_SINK.LD= ${WRAPPER_TMPDIR}/cmd-sink-ld
@@ -514,6 +517,7 @@ generate-wrappers: ${_target_}
cmd-sink-irix-ld \
cmd-sink-interix-gcc \
cmd-sink-ld \
+ cmd-sink-mkpie-gcc \
cmd-sink-osf1-cc \
cmd-sink-osf1-ld \
cmd-sink-hpux-cc \
diff --git a/mk/wrapper/cmd-sink-mkpie-gcc b/mk/wrapper/cmd-sink-mkpie-gcc
new file mode 100644
index 00000000000..8a1ed864d6d
--- /dev/null
+++ b/mk/wrapper/cmd-sink-mkpie-gcc
@@ -0,0 +1,47 @@
+# $NetBSD: cmd-sink-mkpie-gcc,v 1.1 2016/03/11 23:03:31 khorben Exp $
+#
+# Copyright (c) 2016 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Pierre Pronchery.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+while ! queue_is_empty cmdbuf; do
+ pop_queue cmdbuf arg
+ $debug_log $wrapperlog " (cmd-sink-mkpie-gcc) pop: $arg"
+ case $arg in
+ *)
+ . $buildcmd
+ ;;
+ esac
+done
+
+# Append any optional flags required when linking binaries.
+if $test "$dont_link_binary" != "yes"; then
+ # XXX obtain these flags from _MKPIE_LDFLAGS.gcc
+ for arg in -pie; do
+ $debug_log $wrapperlog " (cmd-sink-mkpie-gcc) pop: $arg"
+ . $buildcmd
+ done
+fi
diff --git a/mk/wrapper/transform-gcc b/mk/wrapper/transform-gcc
index 3dd6624d7fb..cceabccb240 100644
--- a/mk/wrapper/transform-gcc
+++ b/mk/wrapper/transform-gcc
@@ -1,4 +1,4 @@
-# $NetBSD: transform-gcc,v 1.29 2013/12/31 13:56:35 tron Exp $
+# $NetBSD: transform-gcc,v 1.30 2016/03/11 23:03:31 khorben Exp $
#
# This file handles the transformations needed for gcc that can be done
# looking at only one argument at a time.
@@ -43,10 +43,14 @@ case $arg in
-fomit-frame-pointer |\
-fPIC |\
-fpic |\
+-fPIE |\
+-fpie |\
-fpcc-struct-return |\
-freg-struct-return |\
-frename-registers |\
-fsigned-char |\
+-fstack-protector |\
+-fstack-protector-all |\
-funroll-loops |\
-funsigned-char |\
-fweb |\
@@ -74,6 +78,8 @@ case $arg in
-print-search-dirs |\
-S |\
-shared |\
+-shared-gcc |\
+-shared-libgcc |\
-static |\
-std=c99 |\
-std=gnu89 |\
@@ -90,6 +96,7 @@ case $arg in
-Werror |\
-Werror-implicit-function-declaration |\
-Wformat* |\
+-Winline |\
-Wmissing-declarations |\
-Wmissing-format-attribute |\
-Wmissing-prototypes |\
@@ -110,12 +117,14 @@ case $arg in
-Wno-write-strings |\
-Wparentheses |\
-Wpointer-arith |\
+-Wredundant-decls |\
-Wreturn-type |\
-Wshadow |\
-Wsign-compare |\
-Wstrict-aliasing |\
-Wstrict-prototypes |\
-Wswitch |\
+-Wtrigraphs |\
-Wunused |\
-Wundef |\
-Wwrite-strings ) transform_pass ;;