diff options
| author | khorben <khorben> | 2017-04-16 23:12:37 +0000 |
|---|---|---|
| committer | khorben <khorben> | 2017-04-16 23:12:37 +0000 |
| commit | 18e0dfec9f3ce91b24e1fb9e19ce64ae84545698 (patch) | |
| tree | f9bd9328012a4335ff51ed30ecd67bcff5e2f8aa /mk | |
| parent | 90fdf460de7c59c9cd8ac73c462e5115c54a67be (diff) | |
| download | pkgsrc-18e0dfec9f3ce91b24e1fb9e19ce64ae84545698.tar.gz | |
Add granularity to PKGSRC_USE_FORTIFY and PKGSRC_USE_RELRO
The new options are, for FORTIFY:
"no" Do not pass any flags for FORTIFY
"weak" Pass -D_FORTIFY_SOURCE=1
"strong" Pass -D_FORTIFY_SOURCE=2
This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).
The new options are, for RELRO:
"no" Do not pass any flags for RELRO
"partial" Pass -Wl,-z,relro
"full" Pass -Wl,-z,relro -Wl,-z,now
This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).
This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.
No functional change intended (with the settings supported so far).
Diffstat (limited to 'mk')
| -rw-r--r-- | mk/bsd.prefs.mk | 6 | ||||
| -rw-r--r-- | mk/compiler/gcc.mk | 26 | ||||
| -rw-r--r-- | mk/defaults/mk.conf | 13 |
3 files changed, 31 insertions, 14 deletions
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk index 38ec9152b1c..61195e890df 100644 --- a/mk/bsd.prefs.mk +++ b/mk/bsd.prefs.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.prefs.mk,v 1.389 2017/02/01 09:55:07 sevan Exp $ +# $NetBSD: bsd.prefs.mk,v 1.390 2017/04/16 23:12:37 khorben Exp $ # # This file includes the mk.conf file, which contains the user settings. # @@ -695,13 +695,13 @@ _PKGSRC_MKPIE= yes .endif _PKGSRC_USE_FORTIFY= no -.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \ +.if (${PKGSRC_USE_FORTIFY:tl} != "no") && \ (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes") _PKGSRC_USE_FORTIFY= yes .endif _PKGSRC_USE_RELRO= no -.if (${PKGSRC_USE_RELRO:tl} == "yes") && \ +.if (${PKGSRC_USE_RELRO:tl} != "no") && \ (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes") _PKGSRC_USE_RELRO= yes .endif diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk index 58f2b4765e2..4f07cd518ac 100644 --- a/mk/compiler/gcc.mk +++ b/mk/compiler/gcc.mk @@ -1,4 +1,4 @@ -# $NetBSD: gcc.mk,v 1.175 2017/04/10 12:22:07 jperkin Exp $ +# $NetBSD: gcc.mk,v 1.176 2017/04/16 23:12:37 khorben Exp $ # # This is the compiler definition for the GNU Compiler Collection. # @@ -316,13 +316,11 @@ CWRAPPERS_APPEND.cc+= -std=gnu99 .endif .if ${OPSYS} == "NetBSD" -_FORTIFY_CFLAGS.gcc= -D_FORTIFY_SOURCE=2 _MKPIE_CFLAGS.gcc= -fPIC # XXX for executables it should be: #_MKPIE_CFLAGS.gcc= -fPIE # XXX for libraries a sink wrapper around gcc is required and used instead #_MKPIE_LDFLAGS.gcc= -pie -_RELRO_LDFLAGS.gcc= -Wl,-z,relro -Wl,-z,now .endif .if ${OPSYS} == "SunOS" @@ -337,14 +335,28 @@ CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc} # CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc} .endif +# The user can choose the level of FORTIFY. +.if ${PKGSRC_USE_FORTIFY} == "weak" +_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=1 +.else +_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=2 +.endif + .if ${_PKGSRC_USE_FORTIFY} == "yes" -_GCC_CFLAGS+= ${_FORTIFY_CFLAGS.gcc} -CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS.gcc} +_GCC_CFLAGS+= ${_FORTIFY_CFLAGS} +CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS} +.endif + +# The user can choose the level of RELRO. +.if ${PKGSRC_USE_RELRO} == "partial" +_RELRO_LDFLAGS= -Wl,-z,relro +.else +_RELRO_LDFLAGS= -Wl,-z,relro -Wl,-z,now .endif .if ${_PKGSRC_USE_RELRO} == "yes" -_GCC_LDFLAGS+= ${_RELRO_LDFLAGS.gcc} -CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS.gcc} +_GCC_LDFLAGS+= ${_RELRO_LDFLAGS} +CWRAPPERS_APPEND.ld+= ${_RELRO_LDFLAGS} .endif # The user can choose the level of stack smashing protection. diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf index 1cdb89e88ff..9a053556b89 100644 --- a/mk/defaults/mk.conf +++ b/mk/defaults/mk.conf @@ -1,4 +1,4 @@ -# $NetBSD: mk.conf,v 1.274 2017/04/16 22:10:40 khorben Exp $ +# $NetBSD: mk.conf,v 1.275 2017/04/16 23:12:37 khorben Exp $ # # This file provides default values for variables that may be overridden @@ -235,14 +235,19 @@ PKGSRC_USE_FORTIFY?= no # Turns on substitute wrappers for commonly used functions that do not bounds # checking regularly, but could in some cases. This is effectively in use only # when both enabled and supported. -# Possible: yes, no +# Possible values: +# no: Do not pass any flags for FORTIFY +# weak: Pass -D_FORTIFY_SOURCE=1 +# strong: Pass -D_FORTIFY_SOURCE=2 # Default: no PKGSRC_USE_RELRO?= no # Link with RELRO by default (on supported platforms). This makes the # exploitation of some security vulnerabilities more difficult in some cases. -# Possible: yes, no -# Default: no +# Possible values: +# no: Do not pass any flags for RELRO +# partial: Pass -Wl,-z,relro +# full: Pass -Wl,-z,relro -Wl,-z,now PKGSRC_USE_SSP?= no # Configure this to enable stack smashing protection (on supported platforms). |