Some pkgsrc/mk/pax.mk suggestions (was: Re: PaX mprotect now on for amd64)

[Leonardo Taccari <leot%NetBSD.org@localhost>]

Hello Pierre and tech-pkg@!
(moving the discussion to tech-pkg@ where is more appropriate)

Pierre Pronchery writes:
> I wrote this mini-framework for paxctl(8) in pkgsrc:
> 
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=f1354300f9d734202bd0ce49b33d74f455aea9e1
> 
> and addressed some concerns there:
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=4ed2e62c4e7416abbf6eba9887cdc5e2c6997c67
> 
> Let me know if I should import it, or about any concerns.
First of all thank you for quickly addressing that and sorry for
the very late review. I will try to share just some ideas about
it!

Unfortunately right now I couldn't come up with a better nomenclature
regarding it. Apart what David suggested... What about a more similar
mechanism also used by src/share/mk (i.e. PAXCTL_FLAGS)? I think
something like that can be used (similar to what we do with several
*_PERMS variables):

 PAXCTL_FLAGS+=	+m bin/frozz

What do you think? (maybe a better name should be decided?)
(maybe we can also abstract the flag usage so that paxctl will be also
OS-agnostic (i.e. it seems that also Linux have it but the syntax is
different), but we will need more nomenclature and I would like to
receive some feedback regarding that)

In pkgsrc/tools/tools.NetBSD.mk we can simplify the recognition of
paxctl via just an `.if exists()'. In this way if other ports will
use PaX features they will already have correct `.note.netbsd.pax'
ELF section.

Another suggestion is to use BUILD_DEFS so that binary package user can
query the paxctl-fied programs in pkgsrc/mk/pax.mk.

For these two suggestions I'll attach possible patches in this email.

Other cosmetic and (not very important) suggestions (mostly for
consistency with other pkgsrc make fragments):

 - I think it's better to not expose TOOLS_PLATFORM.paxctl as a
   user-settable variable and so delete the comment about that in
   pax.mk.
 - _INSTALL_ALL_TARGETS is only used by pkgsrc/mk/install/install.mk but
   not other make files in pkgsrc/mk that depends on post-install.
   I think we can delete them in pax.mk.


Please let me know what you think and/or if I'm missing something!
Thank you for the attention!

Add NOT_PAX_ASLR_SAFE and NOT_PAX_MPROTECT_SAFE to BUILD_DEFS so the
paxctl-fied binaries can be inspected via `pkg_info -Q'

Index: mk/pax.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/pax.mk,v
retrieving revision 1.3
diff -u -p -r1.3 pax.mk
--- mk/pax.mk	27 May 2016 08:33:00 -0000	1.3
+++ mk/pax.mk	5 Jul 2016 15:37:39 -0000
@@ -24,6 +24,8 @@ PAXCTL=	${TOOLS_PLATFORM.paxctl}
 .  if !empty(NOT_PAX_ASLR_SAFE)
 _INSTALL_ALL_TARGETS+=		post-install-pax-aslr-binaries
 
+BUILD_DEFS+=	NOT_PAX_ASLR_SAFE
+
 .PHONY: post-install-pax-aslr-binaries
 post-install: post-install-pax-aslr-binaries
 post-install-pax-aslr-binaries:
@@ -37,6 +39,8 @@ post-install-pax-aslr-binaries:
 .  if !empty(NOT_PAX_MPROTECT_SAFE)
 _INSTALL_ALL_TARGETS+=		post-install-pax-mprotect-binaries
 
+BUILD_DEFS+=	NOT_PAX_MPROTECT_SAFE
+
 .PHONY: post-install-pax-mprotect-binaries
 post-install: post-install-pax-mprotect-binaries
 post-install-pax-mprotect-binaries:

Make TOOLS_PLATFORM.paxctl recognition more agnostic

Index: mk/tools/tools.NetBSD.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/tools/tools.NetBSD.mk,v
retrieving revision 1.58
diff -u -p -r1.58 tools.NetBSD.mk
--- mk/tools/tools.NetBSD.mk	26 May 2016 16:03:04 -0000	1.58
+++ mk/tools/tools.NetBSD.mk	5 Jul 2016 15:38:15 -0000
@@ -83,8 +83,7 @@ TOOLS_PLATFORM.nroff?=		/usr/bin/nroff
 TOOLS_PLATFORM.openssl?=	/usr/bin/openssl
 TOOLS_PLATFORM.patch?=		/usr/bin/patch
 TOOLS_PLATFORM.pax?=		/bin/pax
-.if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
-	empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
+.if exists(/usr/sbin/paxctl)
 TOOLS_PLATFORM.paxctl?=		/usr/sbin/paxctl
 .endif
 TOOLS_PLATFORM.printf?=		/usr/bin/printf