CVS commit: pkgsrc/mk

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk
From: "Pierre Pronchery" <khorben%netbsd.org@localhost>
Date: Sun, 16 Apr 2017 23:12:37 +0000

Module Name:    pkgsrc
Committed By:   khorben
Date:           Sun Apr 16 23:12:37 UTC 2017

Modified Files:
        pkgsrc/mk: bsd.prefs.mk
        pkgsrc/mk/compiler: gcc.mk
        pkgsrc/mk/defaults: mk.conf

Log Message:
Add granularity to PKGSRC_USE_FORTIFY and PKGSRC_USE_RELRO

The new options are, for FORTIFY:
  "no"     Do not pass any flags for FORTIFY
  "weak"   Pass -D_FORTIFY_SOURCE=1
  "strong" Pass -D_FORTIFY_SOURCE=2

This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).

The new options are, for RELRO:
  "no"      Do not pass any flags for RELRO
  "partial" Pass -Wl,-z,relro
  "full"    Pass -Wl,-z,relro -Wl,-z,now

This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).

This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.

No functional change intended (with the settings supported so far).


To generate a diff of this commit:
cvs rdiff -u -r1.389 -r1.390 pkgsrc/mk/bsd.prefs.mk
cvs rdiff -u -r1.175 -r1.176 pkgsrc/mk/compiler/gcc.mk
cvs rdiff -u -r1.274 -r1.275 pkgsrc/mk/defaults/mk.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/bsd.prefs.mk
diff -u pkgsrc/mk/bsd.prefs.mk:1.389 pkgsrc/mk/bsd.prefs.mk:1.390
--- pkgsrc/mk/bsd.prefs.mk:1.389        Wed Feb  1 09:55:07 2017
+++ pkgsrc/mk/bsd.prefs.mk      Sun Apr 16 23:12:37 2017
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.389 2017/02/01 09:55:07 sevan Exp $
+# $NetBSD: bsd.prefs.mk,v 1.390 2017/04/16 23:12:37 khorben Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -695,13 +695,13 @@ _PKGSRC_MKPIE=    yes
 .endif
 
 _PKGSRC_USE_FORTIFY=   no
-.if (${PKGSRC_USE_FORTIFY:tl} == "yes") && \
+.if (${PKGSRC_USE_FORTIFY:tl} != "no") && \
     (${_OPSYS_SUPPORTS_FORTIFY:Uno} == "yes")
 _PKGSRC_USE_FORTIFY=   yes
 .endif
 
 _PKGSRC_USE_RELRO=     no
-.if (${PKGSRC_USE_RELRO:tl} == "yes") && \
+.if (${PKGSRC_USE_RELRO:tl} != "no") && \
     (${_OPSYS_SUPPORTS_RELRO:Uno} == "yes")
 _PKGSRC_USE_RELRO=     yes
 .endif

Index: pkgsrc/mk/compiler/gcc.mk
diff -u pkgsrc/mk/compiler/gcc.mk:1.175 pkgsrc/mk/compiler/gcc.mk:1.176
--- pkgsrc/mk/compiler/gcc.mk:1.175     Mon Apr 10 12:22:07 2017
+++ pkgsrc/mk/compiler/gcc.mk   Sun Apr 16 23:12:37 2017
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.175 2017/04/10 12:22:07 jperkin Exp $
+# $NetBSD: gcc.mk,v 1.176 2017/04/16 23:12:37 khorben Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -316,13 +316,11 @@ CWRAPPERS_APPEND.cc+=     -std=gnu99
 .endif
 
 .if ${OPSYS} == "NetBSD"
-_FORTIFY_CFLAGS.gcc=   -D_FORTIFY_SOURCE=2
 _MKPIE_CFLAGS.gcc=     -fPIC
 # XXX for executables it should be:
 #_MKPIE_CFLAGS.gcc=    -fPIE
 # XXX for libraries a sink wrapper around gcc is required and used instead
 #_MKPIE_LDFLAGS.gcc=   -pie
-_RELRO_LDFLAGS.gcc=    -Wl,-z,relro -Wl,-z,now
 .endif
 
 .if ${OPSYS} == "SunOS"
@@ -337,14 +335,28 @@ CWRAPPERS_APPEND.cc+=     ${_MKPIE_CFLAGS.gc
 # CWRAPPERS_APPEND.ld+=        ${_MKPIE_LDFLAGS.gcc}
 .endif
 
+# The user can choose the level of FORTIFY.
+.if ${PKGSRC_USE_FORTIFY} == "weak"
+_FORTIFY_CFLAGS=       -D_FORTIFY_SOURCE=1
+.else
+_FORTIFY_CFLAGS=       -D_FORTIFY_SOURCE=2
+.endif
+
 .if ${_PKGSRC_USE_FORTIFY} == "yes"
-_GCC_CFLAGS+=          ${_FORTIFY_CFLAGS.gcc}
-CWRAPPERS_APPEND.cc+=  ${_FORTIFY_CFLAGS.gcc}
+_GCC_CFLAGS+=          ${_FORTIFY_CFLAGS}
+CWRAPPERS_APPEND.cc+=  ${_FORTIFY_CFLAGS}
+.endif
+
+# The user can choose the level of RELRO.
+.if ${PKGSRC_USE_RELRO} == "partial"
+_RELRO_LDFLAGS=                -Wl,-z,relro
+.else
+_RELRO_LDFLAGS=                -Wl,-z,relro -Wl,-z,now
 .endif
 
 .if ${_PKGSRC_USE_RELRO} == "yes"
-_GCC_LDFLAGS+=         ${_RELRO_LDFLAGS.gcc}
-CWRAPPERS_APPEND.ld+=  ${_RELRO_LDFLAGS.gcc}
+_GCC_LDFLAGS+=         ${_RELRO_LDFLAGS}
+CWRAPPERS_APPEND.ld+=  ${_RELRO_LDFLAGS}
 .endif
  
 # The user can choose the level of stack smashing protection.

Index: pkgsrc/mk/defaults/mk.conf
diff -u pkgsrc/mk/defaults/mk.conf:1.274 pkgsrc/mk/defaults/mk.conf:1.275
--- pkgsrc/mk/defaults/mk.conf:1.274    Sun Apr 16 22:10:40 2017
+++ pkgsrc/mk/defaults/mk.conf  Sun Apr 16 23:12:37 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.274 2017/04/16 22:10:40 khorben Exp $
+# $NetBSD: mk.conf,v 1.275 2017/04/16 23:12:37 khorben Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -235,14 +235,19 @@ PKGSRC_USE_FORTIFY?= no
 # Turns on substitute wrappers for commonly used functions that do not bounds
 # checking regularly, but could in some cases. This is effectively in use only
 # when both enabled and supported.
-# Possible: yes, no
+# Possible values:
+#      no:     Do not pass any flags for FORTIFY
+#      weak:   Pass -D_FORTIFY_SOURCE=1
+#      strong: Pass -D_FORTIFY_SOURCE=2
 # Default: no
 
 PKGSRC_USE_RELRO?= no
 # Link with RELRO by default (on supported platforms). This makes the
 # exploitation of some security vulnerabilities more difficult in some cases.
-# Possible: yes, no
-# Default: no
+# Possible values:
+#      no:      Do not pass any flags for RELRO
+#      partial: Pass -Wl,-z,relro
+#      full:    Pass -Wl,-z,relro -Wl,-z,now
 
 PKGSRC_USE_SSP?= no
 # Configure this to enable stack smashing protection (on supported platforms).

Prev by Date: CVS commit: pkgsrc
Next by Date: CVS commit: pkgsrc/x11/libdrm
Previous by Thread: CVS commit: pkgsrc
Next by Thread: CVS commit: pkgsrc/x11/libdrm
Indexes:

Home | Main Index | Thread Index | Old Index