HEADSUP: PKGSRC_USE_SSP change

To: pkgsrc-users%pkgsrc.org@localhost, tech-pkg%pkgsrc.org@localhost
Subject: HEADSUP: PKGSRC_USE_SSP change
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Mon, 13 Jun 2016 14:30:30 +0100

Hi!

For anyone on NetBSD who has configured PKGSRC_USE_SSP=yes in their
mk.conf, you'll need to change "yes" to "all" after picking up the
attached change if you wish to continue using that setting.

Users on SunOS don't need to change anything as the previous default
was the same, but you now have the ability to increase the level of
protection if you so desire.

Regards,

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

--- Begin Message ---

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk
From: "Jonathan Perkin" <jperkin%netbsd.org@localhost>
Date: Mon, 13 Jun 2016 13:26:42 +0000

Module Name:	pkgsrc
Committed By:	jperkin
Date:		Mon Jun 13 13:26:42 UTC 2016

Modified Files:
	pkgsrc/mk: bsd.prefs.mk
	pkgsrc/mk/compiler: gcc.mk
	pkgsrc/mk/defaults: mk.conf

Log Message:
Change PKGSRC_USE_SSP to a quad option.  The options are now:

   "no"     Do not pass any stack protection flags (the default)
   "yes"    Pass -fstack-protector
   "strong" Pass -fstack-protector-strong
   "all"    Pass -fstack-protector-all

This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms.  Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.

While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.

Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.


To generate a diff of this commit:
cvs rdiff -u -r1.386 -r1.387 pkgsrc/mk/bsd.prefs.mk
cvs rdiff -u -r1.167 -r1.168 pkgsrc/mk/compiler/gcc.mk
cvs rdiff -u -r1.263 -r1.264 pkgsrc/mk/defaults/mk.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/bsd.prefs.mk
diff -u pkgsrc/mk/bsd.prefs.mk:1.386 pkgsrc/mk/bsd.prefs.mk:1.387
--- pkgsrc/mk/bsd.prefs.mk:1.386	Sun Apr 17 08:13:09 2016
+++ pkgsrc/mk/bsd.prefs.mk	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.386 2016/04/17 08:13:09 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.387 2016/06/13 13:26:42 jperkin Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -707,7 +707,7 @@ _PKGSRC_USE_RELRO=	yes
 .endif
 
 _PKGSRC_USE_SSP=	no
-.if (${PKGSRC_USE_SSP:tl} == "yes") && \
+.if (${PKGSRC_USE_SSP:tl} != "no") && \
     (${_OPSYS_SUPPORTS_SSP:Uno} == "yes")
 _PKGSRC_USE_SSP=	yes
 .endif

Index: pkgsrc/mk/compiler/gcc.mk
diff -u pkgsrc/mk/compiler/gcc.mk:1.167 pkgsrc/mk/compiler/gcc.mk:1.168
--- pkgsrc/mk/compiler/gcc.mk:1.167	Mon Apr 11 04:22:34 2016
+++ pkgsrc/mk/compiler/gcc.mk	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.167 2016/04/11 04:22:34 dbj Exp $
+# $NetBSD: gcc.mk,v 1.168 2016/06/13 13:26:42 jperkin Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -346,12 +346,10 @@ _MKPIE_CFLAGS.gcc=	-fPIC
 # XXX for libraries a sink wrapper around gcc is required and used instead
 #_MKPIE_LDFLAGS.gcc=	-pie
 _RELRO_LDFLAGS.gcc=	-Wl,-z,relro -Wl,-z,now
-_SSP_CFLAGS.gcc=	-fstack-protector-all
 .endif
 
 .if ${OPSYS} == "SunOS"
 _FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
-_SSP_CFLAGS.gcc=	-fstack-protector
 .endif
 
 .if ${_PKGSRC_MKPIE} == "yes"
@@ -372,9 +370,21 @@ _GCC_LDFLAGS+=		${_RELRO_LDFLAGS.gcc}
 CWRAPPERS_APPEND.ld+=	${_RELRO_LDFLAGS.gcc}
 .endif
  
+# The user can choose the level of stack smashing protection.
+.if ${PKGSRC_USE_SSP} == "all"
+_SSP_CFLAGS=		-fstack-protector-all
+.elif ${PKGSRC_USE_SSP} == "strong"
+_SSP_CFLAGS=		-fstack-protector-strong
+.else
+_SSP_CFLAGS=		-fstack-protector
+.endif
+
 .if ${_PKGSRC_USE_SSP} == "yes"
-_GCC_CFLAGS+=		${_SSP_CFLAGS.gcc}
-CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS.gcc}
+_WRAP_EXTRA_ARGS.CC+=	${_SSP_CFLAGS}
+_WRAP_EXTRA_ARGS.CXX+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cxx+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.f77+=	${_SSP_CFLAGS}
 .endif
 
 # GCC has this annoying behaviour where it advocates in a multi-line

Index: pkgsrc/mk/defaults/mk.conf
diff -u pkgsrc/mk/defaults/mk.conf:1.263 pkgsrc/mk/defaults/mk.conf:1.264
--- pkgsrc/mk/defaults/mk.conf:1.263	Fri Mar 11 23:03:31 2016
+++ pkgsrc/mk/defaults/mk.conf	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $
+# $NetBSD: mk.conf,v 1.264 2016/06/13 13:26:42 jperkin Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -236,8 +236,12 @@ PKGSRC_USE_RELRO?= no
 # Default: no
 
 PKGSRC_USE_SSP?= no
-# Set this to yes to enable stack-smashing protection (on supported platforms).
-# Possible: yes, no
+# Configure this to enable stack smashing protection (on supported platforms).
+# Possible values:
+#	no:	Do not pass any stack protection flags
+#	yes:	Pass -fstack-protector
+#	strong:	Pass -fstack-protector-strong
+#	all:	Pass -fstack-protector-all
 # Default: no
 
 # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below.

--- End Message ---

Prev by Date: Re: Recomendation for a proxy server with good security?
Next by Date: Re: Modifying package prefix for binary packages, when using pkg_chk/pkg_rolling-replace
Previous by Thread: Modifying package prefix for binary packages, when using pkg_chk/pkg_rolling-replace
Next by Thread: weird error around work/.PLIST* while building in a chroot
Indexes:

Home | Main Index | Thread Index | Old Index