Re: Updated patch for pkgsrc hardening

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi,

On 03/03/16 11:11, Joerg Sonnenberger wrote:
> On Tue, Mar 01, 2016 at 01:03:06AM +0100, Pierre Pronchery wrote:
>> +.if ${PKGSRC_MKPIE:Uyes} != "no"
>> +# build position-independent code (with GCC, for ASLR)
>> +PIE_CFLAGS?=	-fPIC
>> +# XXX for executables it should be:
>> +# PIE_CFLAGS?=	-fPIE
>> +_GCC_CFLAGS+=	${PIE_CFLAGS}
>> +PIE_LDFLAGS?=	-Wl,-pie -shared-libgcc
>> +# XXX for libraries a sink wrapper around gcc is required
>> +# _GCC_LDFLAGS+=-Wl,-pie
>> +.endif
> 
> As I already said the last time, this is still the wrong way to link
> PIE.

Last time, you wrote:

> The correct way is to compile *and* link with -fPIE as documented. There
> are real differences for code generation purposes like whether access to
> the GOT can be bypassed. For linking, -Wl,-pie will result in the wrong
> CRT routines to be used.

And I investigated and figured that this is exactly how MKPIE is
implemented for NetBSD's own userland. So I do not see a problem here,
especially if it is not made the default.

Besides, there is no (easy) way to force packages to use -fPIE instead
of -fPIC if and only if building PIE executables (as opposed to simple
objects, libraries, or regular executables) if -fPIC is even set there
at all.

Cheers,
-- 
khorben