"no" Do not pass any stack protection flags (the default)
"yes" Pass -fstack-protector
"strong" Pass -fstack-protector-strong
"all" Pass -fstack-protector-all
This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms. Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.
While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.
Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.
- Revisit (and rename) support for FORTIFY as PKGSRC_USE_FORTIFY (instead
of PKGSRC_USE_FORT) for easier support outside NetBSD/gcc;
- PKGSRC_USE_SSP is no longer enabled by default when PKGSRC_USE_FORTIFY
is enabled;
- PKGSRC_MKPIE builds executables as PIE (to leverage userland ASLR)
- PKGSRC_USE_RELRO builds with a read-only GOT to prevent some exploits
from functioning.
Tested on NetBSD/amd64 by myself, in every combination, with and without
pkgtools/cwrappers. MKPIE is not supported at the moment with cwrappers.
Also, MKPIE is known to still break a number of packages when enabled (and
actually supported).
Tested on SunOS by jperkin@, thank you!
As discussed on tech-pkg@, the default behavior is not changed, except
where noted above.
ok bsiegert@
Previously there were at least 5 different ways MACHINE_ARCH could be set,
some statically and some at run time, and in many cases these settings
differed, leading to issues at pkg_add time where there was conflict
between the setting encoded into the package and that used by pkg_install.
Instead, move to a single source of truth where the correct value based on
the host and the chosen (or default) ABI is determined in the bootstrap
script. The value can still be overridden in mk.conf if necessary, e.g.
for cross-compiling.
ABI is now set by default and if unset a default is calculated based on
MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was
previously chosen.
As a result of the refactoring there is no need for LOWER_ARCH, with
references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also
removed.
This goes as far back as 2001 (mk.conf.example) but there should not be any
reason to explicitly set CFLAGS for specific packages. In practice this
even fixes support for global CFLAGS in www/apache{22,24}.
ok gdt@
host and whether to use native or pkgsrc components.
With the use of builtin.mk in packages, these tests are superfluous and can
prevent the builtin.mk detection mechanism from working correctly.
Discovered on OpenBSD where X11_TYPE native was being used but the native
MesaLib wasn't because a test to check the presence of xorgversin.def
failed, forcing MesaLib to be added to $PREFER_PKGSRC.
Change leading if statement to default to an empty $PREFER_PKGSRC with OpenBSD &
Bitrig defaulting to this, remaining platforms should also be moved here after
testing, this is in preperation for replacing the block with just the default value for
$PREFER_PKGSRC.
Put together with instruction from jperkin@
Reviewed by jperkin@ wiz@
This is pretty much the same change as with SSP, and completes it with
support for fortify (like USE_FORT in NetBSD's base system). Like SSP, this
is disabled by default for the moment. Like in NetBSD's base system,
enabling fortify explicitly also enables SSP by default - but SSP can still
be disabled explicitly in this situation.
All four combinations tested on NetBSD/amd64.
This is enabled with PKGSRC_USE_SSP in mk.conf(5), as documented there.
Most NetBSD platforms are supported (when compiling with gcc).
After consensus on tech-pkg@.
