Add support for a number of security features

- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
  of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
  is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
  from functioning.

Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).

Tested on SunOS by jperkin@, thank you!

As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.

ok bsiegert@

9 files changed, 176 insertions, 28 deletions

diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk
index bba380a197c..a3686851292 100644
--- a/mk/bsd.prefs.mk
+++ b/mk/bsd.prefs.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.379 2016/03/11 05:42:35 tnn Exp $
+# $NetBSD: bsd.prefs.mk,v 1.380 2016/03/11 23:03:31 khorben Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -709,6 +709,35 @@ _USE_CWRAPPERS=		yes
 _USE_CWRAPPERS=		no
 .endif
 
+_PKGSRC_MKPIE=	no
+.if (${PKGSRC_MKPIE:tl} == "yes") && \
+    (${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes")
+_PKGSRC_MKPIE=	yes
+_GCC_CFLAGS+=		${_MKPIE_CFLAGS.gcc}
+_GCC_LDFLAGS+=		${_MKPIE_LDFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_FORTIFY=	no
+.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \
+    (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
+_PKGSRC_USE_FORTIFY=	yes
+_GCC_CFLAGS+=		${_FORTIFY_CFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_RELRO=	no
+.if (${PKGSRC_USE_RELRO:tl} == "yes") && \
+    (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes")
+_PKGSRC_USE_RELRO=	yes
+_GCC_LDFLAGS+=		${_RELRO_LDFLAGS.gcc}
+.endif
+
+_PKGSRC_USE_SSP=	no
+.if (${PKGSRC_USE_SSP:tl} == "yes") && \
+    (${_OPSYS_SUPPORTS_SSP:Uno} == "yes")
+_PKGSRC_USE_SSP=	yes
+_GCC_CFLAGS+=		${_SSP_CFLAGS.gcc}
+.endif
+
 # Wrapper framework definitions
 .include "wrapper/wrapper-defs.mk"
 
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index e0f73858081..1a575feffe3 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.164 2016/03/02 18:45:21 jperkin Exp $
+# $NetBSD: gcc.mk,v 1.165 2016/03/11 23:03:31 khorben Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -338,6 +338,24 @@ _WRAP_EXTRA_ARGS.CC+=	-std=gnu99
 CWRAPPERS_APPEND.cc+=	-std=gnu99
 .endif
 
+.if ${_PKGSRC_MKPIE} == "yes"
+CWRAPPERS_APPEND.cc+=	${_MKPIE_CFLAGS.gcc}
+# XXX this differs for libraries and executables
+# CWRAPPERS_APPEND.ld+=	${_MKPIE_LDFLAGS.gcc}
+.endif
+
+.if ${_PKGSRC_USE_FORTIFY} == "yes"
+CWRAPPERS_APPEND.cc+=	${_FORTIFY_CFLAGS.gcc}
+.endif
+
+.if ${_PKGSRC_USE_RELRO} == "yes"
+CWRAPPERS_APPEND.ld+=	${_RELRO_LDFLAGS.gcc}
+.endif
+ 
+.if ${_PKGSRC_USE_SSP} == "yes"
+CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS.gcc}
+.endif
+
 # GCC has this annoying behaviour where it advocates in a multi-line
 # banner the use of "#include" over "#import" when including headers.
 # This generates a huge number of warnings when building practically all
@@ -713,9 +731,10 @@ _GCC_LDFLAGS=	# empty
 .  for _dir_ in ${_GCC_LIBDIRS:N*not_found*}
 _GCC_LDFLAGS+=	-L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_}
 .  endfor
-LDFLAGS+=	${_GCC_LDFLAGS}
 .endif
 
+LDFLAGS+=	${_GCC_LDFLAGS}
+
 # Point the variables that specify the compiler to the installed
 # GCC executables.
 #
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 4d6e883bc91..568b72a6fa7 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.262 2016/01/24 16:14:44 jperkin Exp $
+# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -215,20 +215,30 @@ PKGSRC_RUN_TEST?=	no
 # Possible: yes, no
 # Default: no
 
-PKGSRC_USE_FORT?= no
+PKGSRC_MKPIE?= no
+# If no, create regular executables. Otherwise create PIE (Position Independent
+# Executables, on supported platforms). This option is necessary to fully
+# leverage ASLR as a mitigation for security vulnerabilities.
+# Possible: yes, no
+# Default: no
+
+PKGSRC_USE_FORTIFY?= no
 # Turns on substitute wrappers for commonly used functions that do not bounds
-# checking regularly, but could in some cases (with GCC for instance).
+# checking regularly, but could in some cases. This is effectively in use only
+# when both enabled and supported.
+# Possible: yes, no
+# Default: no
+
+PKGSRC_USE_RELRO?= no
+# Link with RELRO by default (on supported platforms). This makes the
+# exploitation of some security vulnerabilities more difficult in some cases.
 # Possible: yes, no
 # Default: no
 
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-PKGSRC_USE_SSP?= yes
-.else
 PKGSRC_USE_SSP?= no
-.endif
-# Set this to YES to enable stack-smashing protection (on supported platforms).
+# Set this to yes to enable stack-smashing protection (on supported platforms).
 # Possible: yes, no
-# Default: no, except if PKGSRC_USE_FORT is set to "yes".
+# Default: no
 
 # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below.
 # Please add your platform here once you have confirmed it is correct
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index c2666e2df37..d5270fedc05 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.mk,v 1.46 2016/03/10 16:58:19 jperkin Exp $
+# $NetBSD: NetBSD.mk,v 1.47 2016/03/11 23:03:31 khorben Exp $
 #
 # Variable definitions for the NetBSD operating system.
 
@@ -123,19 +123,35 @@ FFLAGS+=	-mieee
 PKG_HAVE_KQUEUE=	# defined
 .endif
 
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-# build with fortify
-_GCC_CFLAGS+=	-D_FORTIFY_SOURCE=2
+# Register support for FORTIFY where supported (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
+
+# Register support for PIE on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+    (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_MKPIE=	yes
+_MKPIE_CFLAGS.gcc=	-fPIC
+# XXX for executables it should be:
+#_MKPIE_CFLAGS.gcc=	-fPIE
+# XXX for libraries a sink wrapper around gcc is required and used instead
+#_MKPIE_LDFLAGS.gcc=	-pie
 .endif
 
-.if ${PKGSRC_USE_SSP:Uno} != "no"
-. if (${MACHINE_ARCH} != "alpha") && \
-	(${MACHINE_ARCH} != "hppa") && \
-	(${MACHINE_ARCH} != "ia64") && \
-	(${MACHINE_ARCH} != "mips")
-# build with stack protection (with GCC)
-_GCC_CFLAGS+=	-fstack-protector
-. endif
+# Register support for RELRO on supported architectures (with GCC)
+.if (${MACHINE_ARCH} == "i386") || \
+    (${MACHINE_ARCH} == "x86_64")
+_OPSYS_SUPPORTS_RELRO=	yes
+_RELRO_LDFLAGS.gcc=	-Wl,-z,relro -Wl,-z,now
+.endif
+
+# Register support for SSP on most architectures (with GCC)
+.if (${MACHINE_ARCH} != "alpha") && \
+    (${MACHINE_ARCH} != "hppa") && \
+    (${MACHINE_ARCH} != "ia64") && \
+    (${MACHINE_ARCH} != "mips")
+_OPSYS_SUPPORTS_SSP=	yes
+_SSP_CFLAGS.gcc=	-fstack-protector-all
 .endif
 
 _OPSYS_CAN_CHECK_SHLIBS=	yes # use readelf in check/bsd.check-vars.mk
diff --git a/mk/platform/SunOS.mk b/mk/platform/SunOS.mk
index 024037da3e8..6c6d1ffe0fe 100644
--- a/mk/platform/SunOS.mk
+++ b/mk/platform/SunOS.mk
@@ -1,4 +1,4 @@
-# $NetBSD: SunOS.mk,v 1.69 2016/03/11 22:04:34 fhajny Exp $
+# $NetBSD: SunOS.mk,v 1.70 2016/03/11 23:03:31 khorben Exp $
 #
 # Variable definitions for the SunOS/Solaris operating system.
 
@@ -111,6 +111,14 @@ _OPSYS_SYSTEM_RPATH?=	/lib${LIBABISUFFIX}:/usr/lib${LIBABISUFFIX}
 _OPSYS_LIB_DIRS?=	/lib${LIBABISUFFIX} /usr/lib${LIBABISUFFIX}
 _OPSYS_INCLUDE_DIRS?=	/usr/include
 
+# support FORTIFY (with GCC)
+_OPSYS_SUPPORTS_FORTIFY=yes
+_FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
+
+# support stack protection (with GCC)
+_OPSYS_SUPPORTS_SSP=	yes
+_SSP_CFLAGS.gcc=	-fstack-protector
+
 _OPSYS_CAN_CHECK_SHLIBS=	yes # requires readelf
 
 # check for maximum command line length and set it in configure's environment,
diff --git a/mk/wrapper/arg-source b/mk/wrapper/arg-source
index 9336414edbf..476de2de56b 100644
--- a/mk/wrapper/arg-source
+++ b/mk/wrapper/arg-source
@@ -1,4 +1,4 @@
-# $NetBSD: arg-source,v 1.16 2015/11/20 05:49:24 richard Exp $
+# $NetBSD: arg-source,v 1.17 2016/03/11 23:03:31 khorben Exp $
 #
 # Copyright (c) 2004 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -161,6 +161,12 @@ while $test $# -gt 0; do
 	##############################################################
 	-c|-S|-E)
 		dont_link=yes
+		dont_link_binary=yes
+		append_queue argbuf "$arg"
+		$debug_log $wrapperlog "    (arg-source) push: $arg"
+		;;
+	-shared)
+		dont_link_binary=yes
 		append_queue argbuf "$arg"
 		$debug_log $wrapperlog "    (arg-source) push: $arg"
 		;;
diff --git a/mk/wrapper/bsd.wrapper.mk b/mk/wrapper/bsd.wrapper.mk
index 67d90d0fff2..887db29a08d 100644
--- a/mk/wrapper/bsd.wrapper.mk
+++ b/mk/wrapper/bsd.wrapper.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.96 2016/03/04 21:25:47 tnn Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.97 2016/03/11 23:03:31 khorben Exp $
 #
 # Copyright (c) 2005 The NetBSD Foundation, Inc.
 # All rights reserved.
@@ -311,6 +311,9 @@ _WRAP_TRANSFORM.CXX=	${_WRAP_TRANSFORM.CC}
 .if !empty(PKGSRC_COMPILER:Mgcc)
 _WRAP_TRANSFORM.CC=	${WRAPPER_TMPDIR}/transform-gcc
 _WRAP_TRANSFORM.CXX=	${_WRAP_TRANSFORM.CC}
+. if ${_PKGSRC_MKPIE} != "no"
+_WRAP_CMD_SINK.CC=	${WRAPPER_TMPDIR}/cmd-sink-mkpie-gcc
+. endif
 .endif
 
 _WRAP_CMD_SINK.LD=		${WRAPPER_TMPDIR}/cmd-sink-ld
@@ -514,6 +517,7 @@ generate-wrappers: ${_target_}
 	cmd-sink-irix-ld \
 	cmd-sink-interix-gcc \
 	cmd-sink-ld \
+	cmd-sink-mkpie-gcc \
 	cmd-sink-osf1-cc \
 	cmd-sink-osf1-ld \
 	cmd-sink-hpux-cc \
diff --git a/mk/wrapper/cmd-sink-mkpie-gcc b/mk/wrapper/cmd-sink-mkpie-gcc
new file mode 100644
index 00000000000..8a1ed864d6d
--- /dev/null
+++ b/mk/wrapper/cmd-sink-mkpie-gcc
@@ -0,0 +1,47 @@
+# $NetBSD: cmd-sink-mkpie-gcc,v 1.1 2016/03/11 23:03:31 khorben Exp $
+#
+# Copyright (c) 2016 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Pierre Pronchery.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+while ! queue_is_empty cmdbuf; do
+	pop_queue cmdbuf arg
+	$debug_log $wrapperlog "    (cmd-sink-mkpie-gcc) pop:  $arg"
+	case $arg in
+	*)
+		. $buildcmd
+		;;
+	esac
+done
+
+# Append any optional flags required when linking binaries.
+if $test "$dont_link_binary" != "yes"; then
+	# XXX obtain these flags from _MKPIE_LDFLAGS.gcc
+	for arg in -pie; do
+		$debug_log $wrapperlog "    (cmd-sink-mkpie-gcc) pop: $arg"
+		. $buildcmd
+	done
+fi
diff --git a/mk/wrapper/transform-gcc b/mk/wrapper/transform-gcc
index 3dd6624d7fb..cceabccb240 100644
--- a/mk/wrapper/transform-gcc
+++ b/mk/wrapper/transform-gcc
@@ -1,4 +1,4 @@
-# $NetBSD: transform-gcc,v 1.29 2013/12/31 13:56:35 tron Exp $
+# $NetBSD: transform-gcc,v 1.30 2016/03/11 23:03:31 khorben Exp $
 #
 # This file handles the transformations needed for gcc that can be done
 # looking at only one argument at a time.
@@ -43,10 +43,14 @@ case $arg in
 -fomit-frame-pointer	|\
 -fPIC			|\
 -fpic			|\
+-fPIE			|\
+-fpie			|\
 -fpcc-struct-return	|\
 -freg-struct-return	|\
 -frename-registers	|\
 -fsigned-char		|\
+-fstack-protector	|\
+-fstack-protector-all	|\
 -funroll-loops		|\
 -funsigned-char		|\
 -fweb			|\
@@ -74,6 +78,8 @@ case $arg in
 -print-search-dirs	|\
 -S			|\
 -shared			|\
+-shared-gcc		|\
+-shared-libgcc		|\
 -static			|\
 -std=c99		|\
 -std=gnu89		|\
@@ -90,6 +96,7 @@ case $arg in
 -Werror			|\
 -Werror-implicit-function-declaration |\
 -Wformat*		|\
+-Winline		|\
 -Wmissing-declarations	|\
 -Wmissing-format-attribute |\
 -Wmissing-prototypes	|\
@@ -110,12 +117,14 @@ case $arg in
 -Wno-write-strings	|\
 -Wparentheses		|\
 -Wpointer-arith		|\
+-Wredundant-decls	|\
 -Wreturn-type		|\
 -Wshadow		|\
 -Wsign-compare		|\
 -Wstrict-aliasing	|\
 -Wstrict-prototypes	|\
 -Wswitch		|\
+-Wtrigraphs		|\
 -Wunused		|\
 -Wundef			|\
 -Wwrite-strings		) transform_pass ;;