[pkgsrc/trunk]: pkgsrc/doc doc: RELRO revert

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/doc doc: RELRO revert
From: nia <nia%pkgsrc.org@localhost>
Date: Sun, 07 Nov 2021 13:22:34 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/2cf57ea13834
branches:  trunk
changeset: 769053:2cf57ea13834
user:      nia <nia%pkgsrc.org@localhost>
date:      Sun Nov 07 11:30:19 2021 +0000

description:
doc: RELRO revert

diffstat:

 doc/NEWS                      |   8 +---
 doc/guide/files/hardening.xml |  93 +++++++++++++++++++++---------------------
 2 files changed, 48 insertions(+), 53 deletions(-)

diffs (136 lines):

diff -r 88e7bcc257c3 -r 2cf57ea13834 doc/NEWS
--- a/doc/NEWS  Sun Nov 07 11:25:33 2021 +0000
+++ b/doc/NEWS  Sun Nov 07 11:30:19 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: NEWS,v 1.21 2021/10/10 08:39:40 nia Exp $
+# $NetBSD: NEWS,v 1.22 2021/11/07 11:30:19 nia Exp $
 
 PKGSRC NEWS
 ===========
@@ -24,12 +24,6 @@
        like i386 - usually this is due to unsafe assembly code,
        which should be disabled when MKPIE is enabled.
 
-       PKGSRC_USE_RELRO was enabled on some architectures.
-       This should not affect the majority of packages that properly
-       honor CFLAGS/LDFLAGS when building.  Packages experiencing
-       problems loading dynamic ELF plugins at runtime should have
-       RELRO disabled.
-
        PKGSRC_USE_SSP was bumped from "yes" to "strong".  This
        is not expected to have a noticable effect.
 
diff -r 88e7bcc257c3 -r 2cf57ea13834 doc/guide/files/hardening.xml
--- a/doc/guide/files/hardening.xml     Sun Nov 07 11:25:33 2021 +0000
+++ b/doc/guide/files/hardening.xml     Sun Nov 07 11:30:19 2021 +0000
@@ -1,4 +1,4 @@
-<!-- $NetBSD: hardening.xml,v 1.4 2021/11/02 08:28:45 nia Exp $ -->
+<!-- $NetBSD: hardening.xml,v 1.5 2021/11/07 11:30:19 nia Exp $ -->
 
 <appendix id="hardening">
 <title>Security hardening</title>
@@ -143,51 +143,6 @@
 </para>
 </sect3>
 
-<sect3 id="hardening.mechanisms.enabled.relro">
-<title>PKGSRC_USE_RELRO</title>
-
-<para>
-This also makes the exploitation of some security vulnerabilities more
-difficult in some cases.
-</para>
-
-<para>Two different mitigation levels are available:</para>
-
-<itemizedlist>
-<listitem>
-<para>
-partial: the ELF sections are reordered so that internal data sections
-precede the program's own data sections, and non-PLT GOT is read-only;
-</para>
-</listitem>
-<listitem>
-<para>
-full: in addition to partial RELRO, every relocation is performed immediately
-when starting the program (with a slight performance impact), allowing the
-entire GOT to be read-only.
-</para>
-</listitem>
-</itemizedlist>
-
-<para>
-This is currently supported by GCC. Many software distributions now enable this
-feature by default, at the "partial" level.
-</para>
-
-<para>
-More details can be found here:
-</para>
-
-<itemizedlist>
-<listitem>
-<para>
-<ulink url="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro";>Hardening ELF binaries using Relocation Read-Only (RELRO)</ulink>
-</para>
-</listitem>
-</itemizedlist>
-</sect3>
-</sect2>
-
 <sect2 id="hardening.mechanisms.disabled">
 <title>Not enabled by default</title>
 
@@ -219,6 +174,52 @@
 </para>
 </sect3>
 
+<sect3 id="hardening.mechanisms.enabled.relro">
+<title>PKGSRC_USE_RELRO</title>
+
+<para>
+This also makes the exploitation of some security vulnerabilities more
+difficult in some cases.
+</para>
+
+<para>Two different mitigation levels are available:</para>
+
+<itemizedlist>
+<listitem>
+<para>
+partial: the ELF sections are reordered so that internal data sections
+precede the program's own data sections, and non-PLT GOT is read-only;
+</para>
+</listitem>
+<listitem>
+<para>
+full: in addition to partial RELRO, every relocation is performed immediately
+when starting the program (with a slight performance impact), allowing the
+entire GOT to be read-only.
+</para>
+</listitem>
+</itemizedlist>
+
+<para>
+This is currently supported by GCC. Many software distributions now enable this
+feature by default, at the "partial" level. However, it cannot yet be enforced
+globally in pkgsrc through cwrappers.
+</para>
+
+<para>
+More details can be found here:
+</para>
+
+<itemizedlist>
+<listitem>
+<para>
+<ulink url="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro";>Hardening ELF binaries using Relocation Read-Only (RELRO)</ulink>
+</para>
+</listitem>
+</itemizedlist>
+</sect3>
+</sect2>
+
 <sect3 id="hardening.mechanisms.disabled.stackcheck">
 <title>PKGSRC_USE_STACK_CHECK</title>

Prev by Date: [pkgsrc/trunk]: pkgsrc/mk mk: revert RELRO default and cease use of wrappers ...
Next by Date: [pkgsrc/trunk]: pkgsrc/www/py-curl py-curl: better patch for setup.py to allo...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/mk mk: revert RELRO default and cease use of wrappers ...
Next by Thread: [pkgsrc/trunk]: pkgsrc/www/py-curl py-curl: better patch for setup.py to allo...
Indexes:

Home | Main Index | Thread Index | Old Index