Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi,

On 07/19/15 01:50, Pierre Pronchery wrote:
> On 07/18/15 21:56, Joerg Sonnenberger wrote:
>>>>> 2. Building position-independent code:
>>>>>
>>>>>   +_GCC_CFLAGS+=  -fPIC
>>>>>   +_GCC_LDFLAGS+= -Wl,-pie
>>>>
>>>> This is not the correct way to create position independent binaries.
>>>
>>> Would you care mentioning what the correct way is then?
>>> As a matter of fact, like I said, I have tested this to be working,
>>> except for the issue I mentioned.
>>
>> The correct way is to compile *and* link with -fPIE as documented. There
>> are real differences for code generation purposes like whether access to
>> the GOT can be bypassed. For linking, -Wl,-pie will result in the wrong
>> CRT routines to be used.
> 
> Ok, thank you, I will investigate in this direction.

In NetBSD-current:

For libraries, share/mk/bsd.lib.mk:
 45 .if defined(MKPIE) && (${MKPIE} != "no")
 46 CFLAGS+=        ${PIE_CFLAGS}
 47 AFLAGS+=        ${PIE_AFLAGS}
 48 .endif

For programs, share/mk/bsd.prog.mk:
 51 .if defined(MKPIE) && (${MKPIE} != "no")
 52 CFLAGS+=        ${PIE_CFLAGS}
 53 AFLAGS+=        ${PIE_AFLAGS}
 54 LDFLAGS+=       ${PIE_LDFLAGS}
 55 .endif

PIE_CFLAGS, PIE_AFLAGS and PIE_LDFLAGS all come from the same place,
share/mk/bsd.own.mk:
164 .if !defined(LDSTATIC) || ${LDSTATIC} != "-static"
165 # Position Independent Executable flags
166 PIE_CFLAGS?=        -fPIC
167 PIE_LDFLAGS?=       -Wl,-pie ${${ACTIVE_CC} == "gcc":? -shared-libgcc :}
168 PIE_AFLAGS?=        -fPIC
169 .endif

To me, it looks like programs are built with -fPIC instead of -fPIE like
you mentioned. Should we fix it there then?

Cheers,
-- 
khorben