Hi pkgsrc developers, I have updated the patch for pkgsrc hardening in EdgeBSD for the pkgsrc_2015Q4 branch. Please let me know if I can apply part (or all) of this patch into pkgsrc directly. The defaults can be changed obviously, particularly so in the case of PKGSRC_MKPIE as many packages are still expected to fail building with this set. Cheers, -- khorben
commit 6fcf2222e25b47cf4b975d900faca6bcc6bb4479
Author: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Tue Mar 1 00:10:10 2016 +0100
Compile with fortify, PIE, RELRO, SSP by default
This is currently applied when supported (NetBSD with GCC).
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index 3fb8532..178ab9a 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -713,9 +713,10 @@ _GCC_LDFLAGS= # empty
. for _dir_ in ${_GCC_LIBDIRS:N*not_found*}
_GCC_LDFLAGS+= -L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_}
. endfor
-LDFLAGS+= ${_GCC_LDFLAGS}
.endif
+LDFLAGS+= ${_GCC_LDFLAGS}
+
# Point the variables that specify the compiler to the installed
# GCC executables.
#
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index ebe18a1..42f4b14 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -195,6 +195,19 @@ PKGSRC_MESSAGE_RECIPIENTS?=
# Possible: any login names
# Default: none
+#PKGSRC_MKPIE?= yes
+# If no, create regular executables. Otherwise create PIE (Position Independent
+# Executables, on supported platforms). This option is necessary to fully
+# leverage ASLR as a mitigation for security vulnerabilities.
+# Possible: yes, no
+# Default: yes
+
+#PKGSRC_MKRELRO?= yes
+# Link with RELRO by default (on supported platforms). This makes the
+# exploitation of some security vulnerabilities more difficult in some cases.
+# Possible: yes, no
+# Default: yes
+
PKGSRC_SHOW_BUILD_DEFS?=yes
# Show BUILD_DEFS definitions for a package when it is being built
# (BUILD_DEFS are extra definitions which govern how some packages are
@@ -215,18 +228,15 @@ PKGSRC_RUN_TEST?= no
# Possible: yes, no
# Default: no
-PKGSRC_USE_FORT?= yes
+#PKGSRC_USE_FORT?= yes
# Turns on substitute wrappers for commonly used functions that do not bounds
-# checking regularly, but could in some cases (with GCC for instance).
+# checking regularly, but could in some cases. This is effectively in use only
+# when supported.
# Possible: yes, no
-# Default: no
+# Default: yes
-.if ${PKGSRC_USE_FORT:Uno} != "no"
-PKGSRC_USE_SSP?= yes
-.else
-PKGSRC_USE_SSP?= no
-.endif
-# Set this to YES to enable stack-smashing protection (on supported platforms).
+#PKGSRC_USE_SSP?= yes
+# Set this to yes to enable stack-smashing protection (on supported platforms).
# Possible: yes, no
# Default: no, except if PKGSRC_USE_FORT is set to "yes".
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index 9c34787..adb1d49 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -124,9 +124,13 @@ FFLAGS+= -mieee
PKG_HAVE_KQUEUE= # defined
.endif
-.if ${PKGSRC_USE_FORT:Uno} != "no"
+.if ${PKGSRC_USE_FORT:Uyes} != "no"
# build with fortify
-_GCC_CFLAGS+= -D_FORTIFY_SOURCE=2
+FORTIFY_CFLAGS?=-D_FORTIFY_SOURCE=2
+_GCC_CFLAGS+= ${FORTIFY_CFLAGS}
+
+# also enable SSP
+PKGSRC_USE_SSP?= yes
.endif
.if ${PKGSRC_USE_SSP:Uno} != "no"
@@ -135,10 +139,28 @@ _GCC_CFLAGS+= -D_FORTIFY_SOURCE=2
(${MACHINE_ARCH} != "ia64") && \
(${MACHINE_ARCH} != "mips")
# build with stack protection (with GCC)
-_GCC_CFLAGS+= -fstack-protector-all
+SSP_CFLAGS?= -fstack-protector-all
+_GCC_CFLAGS+= ${SSP_CFLAGS}
. endif
.endif
+.if ${PKGSRC_MKPIE:Uyes} != "no"
+# build position-independent code (with GCC, for ASLR)
+PIE_CFLAGS?= -fPIC
+# XXX for executables it should be:
+# PIE_CFLAGS?= -fPIE
+_GCC_CFLAGS+= ${PIE_CFLAGS}
+PIE_LDFLAGS?= -Wl,-pie -shared-libgcc
+# XXX for libraries a sink wrapper around gcc is required
+# _GCC_LDFLAGS+=-Wl,-pie
+.endif
+
+.if ${PKGSRC_MKRELRO:Uyes} != "no"
+# link with RELRO (with GCC)
+RELRO_LDFLAGS?= -Wl,-z,relro -Wl,-z,now
+_GCC_LDFLAGS+= ${RELRO_LDFLAGS}
+.endif
+
_OPSYS_CAN_CHECK_SHLIBS= yes # use readelf in check/bsd.check-vars.mk
# check for maximum command line length and set it in configure's environment,
diff --git a/mk/wrapper/arg-source b/mk/wrapper/arg-source
index 9336414..6810240 100644
--- a/mk/wrapper/arg-source
+++ b/mk/wrapper/arg-source
@@ -161,6 +161,12 @@ while $test $# -gt 0; do
##############################################################
-c|-S|-E)
dont_link=yes
+ dont_link_binary=yes
+ append_queue argbuf "$arg"
+ $debug_log $wrapperlog " (arg-source) push: $arg"
+ ;;
+ -shared)
+ dont_link_binary=yes
append_queue argbuf "$arg"
$debug_log $wrapperlog " (arg-source) push: $arg"
;;
diff --git a/mk/wrapper/bsd.wrapper.mk b/mk/wrapper/bsd.wrapper.mk
index 8f79a36..0e3ad30 100644
--- a/mk/wrapper/bsd.wrapper.mk
+++ b/mk/wrapper/bsd.wrapper.mk
@@ -311,6 +311,11 @@ _WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC}
.if !empty(PKGSRC_COMPILER:Mgcc)
_WRAP_TRANSFORM.CC= ${WRAPPER_TMPDIR}/transform-gcc
_WRAP_TRANSFORM.CXX= ${_WRAP_TRANSFORM.CC}
+. if ${OPSYS} == "NetBSD"
+. if ${PKGSRC_MKPIE:Uyes} != "no"
+_WRAP_CMD_SINK.CC= ${WRAPPER_TMPDIR}/cmd-sink-netbsd-gcc
+. endif
+. endif
.endif
_WRAP_CMD_SINK.LD= ${WRAPPER_TMPDIR}/cmd-sink-ld
@@ -513,6 +518,7 @@ generate-wrappers: ${_target_}
cmd-sink-irix-cc \
cmd-sink-irix-ld \
cmd-sink-interix-gcc \
+ cmd-sink-netbsd-gcc \
cmd-sink-ld \
cmd-sink-osf1-cc \
cmd-sink-osf1-ld \
diff --git a/mk/wrapper/cmd-sink-netbsd-gcc b/mk/wrapper/cmd-sink-netbsd-gcc
new file mode 100644
index 0000000..89c19cf
--- /dev/null
+++ b/mk/wrapper/cmd-sink-netbsd-gcc
@@ -0,0 +1,54 @@
+# $NetBSD$
+#
+# Copyright (c) 2015 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Pierre Pronchery.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+# must display the following acknowledgement:
+# This product includes software developed by the NetBSD
+# Foundation, Inc. and its contributors.
+# 4. Neither the name of The NetBSD Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+while ! queue_is_empty cmdbuf; do
+ pop_queue cmdbuf arg
+ $debug_log $wrapperlog " (cmd-sink-netbsd-gcc) pop: $arg"
+ case $arg in
+ *)
+ . $buildcmd
+ ;;
+ esac
+done
+
+# Append any optional flags required when linking binaries.
+if $test "$dont_link_binary" != "yes"; then
+ # XXX obtain these flags from PIE_LDFLAGS
+ for arg in -Wl,-pie -shared-libgcc; do
+ $debug_log $wrapperlog " (cmd-sink-netbsd-gcc) pop: $arg"
+ . $buildcmd
+ done
+fi
Attachment:
signature.asc
Description: OpenPGP digital signature