pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mk Add granularity to PKGSRC_USE_FORTIFY and PKGSRC_US...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/1b94822a7c63
branches:  trunk
changeset: 361199:1b94822a7c63
user:      khorben <khorben%pkgsrc.org@localhost>
date:      Sun Apr 16 23:12:37 2017 +0000

description:
Add granularity to PKGSRC_USE_FORTIFY and PKGSRC_USE_RELRO

The new options are, for FORTIFY:
  "no"     Do not pass any flags for FORTIFY
  "weak"   Pass -D_FORTIFY_SOURCE=1
  "strong" Pass -D_FORTIFY_SOURCE=2

This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).

The new options are, for RELRO:
  "no"      Do not pass any flags for RELRO
  "partial" Pass -Wl,-z,relro
  "full"    Pass -Wl,-z,relro -Wl,-z,now

This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).

This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.

No functional change intended (with the settings supported so far).

diffstat:

 mk/bsd.prefs.mk     |   6 +++---
 mk/compiler/gcc.mk  |  26 +++++++++++++++++++-------
 mk/defaults/mk.conf |  13 +++++++++----
 3 files changed, 31 insertions(+), 14 deletions(-)

diffs (113 lines):

diff -r 386bd46b7af5 -r 1b94822a7c63 mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk   Sun Apr 16 22:10:40 2017 +0000
+++ b/mk/bsd.prefs.mk   Sun Apr 16 23:12:37 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.389 2017/02/01 09:55:07 sevan Exp $
+# $NetBSD: bsd.prefs.mk,v 1.390 2017/04/16 23:12:37 khorben Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -695,13 +695,13 @@
 .endif
 
 _PKGSRC_USE_FORTIFY=   no
-.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \
+.if (${PKGSRC_USE_FORTIFY:tl} != "no") && \
     (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
 _PKGSRC_USE_FORTIFY=   yes
 .endif
 
 _PKGSRC_USE_RELRO=     no
-.if (${PKGSRC_USE_RELRO:tl} == "yes") && \
+.if (${PKGSRC_USE_RELRO:tl} != "no") && \
     (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes")
 _PKGSRC_USE_RELRO=     yes
 .endif
diff -r 386bd46b7af5 -r 1b94822a7c63 mk/compiler/gcc.mk
--- a/mk/compiler/gcc.mk        Sun Apr 16 22:10:40 2017 +0000
+++ b/mk/compiler/gcc.mk        Sun Apr 16 23:12:37 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.175 2017/04/10 12:22:07 jperkin Exp $
+# $NetBSD: gcc.mk,v 1.176 2017/04/16 23:12:37 khorben Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -316,13 +316,11 @@
 .endif
 
 .if ${OPSYS} == "NetBSD"
-_FORTIFY_CFLAGS.gcc=   -D_FORTIFY_SOURCE=2
 _MKPIE_CFLAGS.gcc=     -fPIC
 # XXX for executables it should be:
 #_MKPIE_CFLAGS.gcc=    -fPIE
 # XXX for libraries a sink wrapper around gcc is required and used instead
 #_MKPIE_LDFLAGS.gcc=   -pie
-_RELRO_LDFLAGS.gcc=    -Wl,-z,relro -Wl,-z,now
 .endif
 
 .if ${OPSYS} == "SunOS"
@@ -337,14 +335,28 @@
 # CWRAPPERS_APPEND.ld+=        ${_MKPIE_LDFLAGS.gcc}
 .endif
 
+# The user can choose the level of FORTIFY.
+.if ${PKGSRC_USE_FORTIFY} == "weak"
+_FORTIFY_CFLAGS=       -D_FORTIFY_SOURCE=1
+.else
+_FORTIFY_CFLAGS=       -D_FORTIFY_SOURCE=2
+.endif
+
 .if ${_PKGSRC_USE_FORTIFY} == "yes"
-_GCC_CFLAGS+=          ${_FORTIFY_CFLAGS.gcc}
-CWRAPPERS_APPEND.cc+=  ${_FORTIFY_CFLAGS.gcc}
+_GCC_CFLAGS+=          ${_FORTIFY_CFLAGS}
+CWRAPPERS_APPEND.cc+=  ${_FORTIFY_CFLAGS}
+.endif
+
+# The user can choose the level of RELRO.
+.if ${PKGSRC_USE_RELRO} == "partial"
+_RELRO_LDFLAGS=                -Wl,-z,relro
+.else
+_RELRO_LDFLAGS=                -Wl,-z,relro -Wl,-z,now
 .endif
 
 .if ${_PKGSRC_USE_RELRO} == "yes"
-_GCC_LDFLAGS+=         ${_RELRO_LDFLAGS.gcc}
-CWRAPPERS_APPEND.ld+=  ${_RELRO_LDFLAGS.gcc}
+_GCC_LDFLAGS+=         ${_RELRO_LDFLAGS}
+CWRAPPERS_APPEND.ld+=  ${_RELRO_LDFLAGS}
 .endif
  
 # The user can choose the level of stack smashing protection.
diff -r 386bd46b7af5 -r 1b94822a7c63 mk/defaults/mk.conf
--- a/mk/defaults/mk.conf       Sun Apr 16 22:10:40 2017 +0000
+++ b/mk/defaults/mk.conf       Sun Apr 16 23:12:37 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.274 2017/04/16 22:10:40 khorben Exp $
+# $NetBSD: mk.conf,v 1.275 2017/04/16 23:12:37 khorben Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -235,14 +235,19 @@
 # Turns on substitute wrappers for commonly used functions that do not bounds
 # checking regularly, but could in some cases. This is effectively in use only
 # when both enabled and supported.
-# Possible: yes, no
+# Possible values:
+#      no:     Do not pass any flags for FORTIFY
+#      weak:   Pass -D_FORTIFY_SOURCE=1
+#      strong: Pass -D_FORTIFY_SOURCE=2
 # Default: no
 
 PKGSRC_USE_RELRO?= no
 # Link with RELRO by default (on supported platforms). This makes the
 # exploitation of some security vulnerabilities more difficult in some cases.
-# Possible: yes, no
-# Default: no
+# Possible values:
+#      no:      Do not pass any flags for RELRO
+#      partial: Pass -Wl,-z,relro
+#      full:    Pass -Wl,-z,relro -Wl,-z,now
 
 PKGSRC_USE_SSP?= no
 # Configure this to enable stack smashing protection (on supported platforms).



Home | Main Index | Thread Index | Old Index