diff options
| author | maya <maya@pkgsrc.org> | 2018-05-23 11:26:54 +0000 |
|---|---|---|
| committer | maya <maya@pkgsrc.org> | 2018-05-23 11:26:54 +0000 |
| commit | a5cbf7cb758a77a413e2d1b4662065bd87e739a9 (patch) | |
| tree | 7fc10b0cc327cbdbcece038a3ac75948db0c9c39 /mk | |
| parent | 8c00939aef22829a56441ea5b9db5e5900b5d31d (diff) | |
| download | pkgsrc-a5cbf7cb758a77a413e2d1b4662065bd87e739a9.tar.gz | |
Describe some of the security mitigation flags and their impact
Diffstat (limited to 'mk')
| -rw-r--r-- | mk/bsd.prefs.mk | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk index 8772bf8babb..a891390fa79 100644 --- a/mk/bsd.prefs.mk +++ b/mk/bsd.prefs.mk @@ -1,4 +1,4 @@ -# $NetBSD: bsd.prefs.mk,v 1.396 2018/01/15 09:35:45 jperkin Exp $ +# $NetBSD: bsd.prefs.mk,v 1.397 2018/05/23 11:26:54 maya Exp $ # # This file includes the mk.conf file, which contains the user settings. # @@ -699,6 +699,10 @@ INIT_SYSTEM?= rc.d _BUILD_DEFS+= INIT_SYSTEM .endif +# Build Position Independent Executables if supported +# Allows the security mitigation of ASLR to be used. +# Impact: very small performance drop. +# _PKGSRC_MKPIE= no .if ${PKGSRC_MKPIE:tl} == "yes" && \ ${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \ @@ -706,6 +710,9 @@ _PKGSRC_MKPIE= no _PKGSRC_MKPIE= yes .endif +# Enable reproducible build flags +# Adjusts debug symbols to omit workdir references +# _PKGSRC_MKREPRO= no .if ${PKGSRC_MKREPRO:tl} == "yes" && \ ${MKREPRO_SUPPORTED:Uyes:tl} == "yes" && \ @@ -713,6 +720,10 @@ _PKGSRC_MKREPRO= no _PKGSRC_MKREPRO= yes .endif +# Enable FORTIFY +# Security mitigation: compile and run-time checks for buffer overflows. +# Impact: performance drop +# _PKGSRC_USE_FORTIFY= no .if ${PKGSRC_USE_FORTIFY:tl} != "no" && \ ${FORTIFY_SUPPORTED:Uyes:tl} == "yes" && \ @@ -720,6 +731,10 @@ _PKGSRC_USE_FORTIFY= no _PKGSRC_USE_FORTIFY= yes .endif +# Use read-only relocations +# Security mitigation: some ELF sections are mapped read-only. +# Impact: increases program startup time as it disables lazy-binding +# _PKGSRC_USE_RELRO= no .if ${PKGSRC_USE_RELRO:tl} != "no" && \ ${RELRO_SUPPORTED:Uyes:tl} == "yes" && \ @@ -727,6 +742,11 @@ _PKGSRC_USE_RELRO= no _PKGSRC_USE_RELRO= yes .endif +# Enable Stack-Smashing Protection +# Security mitigation: add and check canaries on the stack at runtime +# to find buffer overruns. +# Impact: performance drop +# _PKGSRC_USE_SSP= no .if ${PKGSRC_USE_SSP:tl} != "no" && \ ${SSP_SUPPORTED:Uyes:tl} == "yes" && \ @@ -734,6 +754,10 @@ _PKGSRC_USE_SSP= no _PKGSRC_USE_SSP= yes .endif +# Enable stack check +# Generate code to ensure we don't exceed our given stack. +# Impact: performance drop +# _PKGSRC_USE_STACK_CHECK=no .if ${PKGSRC_USE_STACK_CHECK:tl} != "no" && \ ${STACK_CHECK_SUPPORTED:Uyes:tl} == "yes" && \ |