From nobody Wed Oct 26 08:34:46 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4My2DQ3cymz4gNqj; Wed, 26 Oct 2022 08:34:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4My2DQ31xyz3hMV; Wed, 26 Oct 2022 08:34:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666773286; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6UZ91ikm3s6Kc1/1wygbUa/ZENmpvQ9ARVHFCYZ6pTg=; b=KF3H6lK8CVyrz0oQM4VjmPU/VqKiZgaz+e0xeFgukBXe89KMLfGTnNMWo7Q9+/qsfBucAn UUeEX0e5k9AA/HUUswm2XUx6HSAbqBMgBpu61CSVzIOlUTuUItVTTCSGOOpvafECxv4sMi dlfPJCEuxayGVQRket1Fo8Gf3vxJWS7po2XSQN0dZLNyMIoaXZOuNVfUBYzVmSoJy+cLpn u4r+RWF9rzSNQZ106PJqy9aj/HnArZ1yP+ii+0nsXJ6n2CXxNE+cxfXtujZK+F76TwwkB5 yGMD08eEETZzZHMSwstWSB/+gEWvtGsw+CSX6pK6LHX58EDBVvUCZF+UrgY1oA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4My2DQ1ygdz19kL; Wed, 26 Oct 2022 08:34:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 29Q8YkuJ092633; Wed, 26 Oct 2022 08:34:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 29Q8YkaS092632; Wed, 26 Oct 2022 08:34:46 GMT (envelope-from git) Date: Wed, 26 Oct 2022 08:34:46 GMT Message-Id: <202210260834.29Q8YkaS092632@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Baptiste Daroussin Subject: git: cc0e861e232d - main - hardening: add relro and bind_now features List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bapt X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cc0e861e232dbc725446c5ce43506e50005cbf30 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666773286; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6UZ91ikm3s6Kc1/1wygbUa/ZENmpvQ9ARVHFCYZ6pTg=; b=KY1JZnSG8vndY3vKTCKhyjPbLI71zDcB/f6Iq33vXDDXgZ9TJp4i3w5bzrrIoJcqjRHN5F bGrRQdfevgiSL6G+wdP//nGycdZiM4lJi/0VDCVZSBIqp2qICxb+McUO7pb+wOCLnmk8W3 U/XmQ9dmwKpyVBzur+zIBP6QbOXwZKnMG2vLGMH2t3T9ZivBpQIR+CPyfz6IPGSZj2tiye HyREMNiHQNB0+2Y5iH3s3pb7M853FVgZHrw153WJoeaPz1mKPJr/QiRAmtm1r6sZAsqO3i tgf7rm8gVbBXNtnBwqxZ6CXKDlYfrvOwT/TuwAxFEyePUqsgTkzCIT+9dqga7w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666773286; a=rsa-sha256; cv=none; b=npDluLsa/Tlp6fVqyV8NBowy+2/IBWFDhiO/MrFvGGLkYD2Db/HDCuc9QQ2Wj1b+v51OzZ TGBFlBXHRj4sGnDb9KxSLyAvv6MM55Q8nhIfXWd2A8MQ9JNvKkFLrDakCnNAGhayfk0Yps iHkszCWIFDo/PcuFcIjm2luih+kecegLWPQq1UQPuos/keAZU/zJKY4ov3IK/h9bhwNsYw qxuMH3p73+ra09NbEMsh/G276U052iKRGTMSt5Vxkl6pYPrb605Pgi2WUzTn5lODAsQxEn tSuILvGqzJfk0IiJwTPuzeSufFW4RfTQ2qjyjTeGab5k5FPt+CwyxbhoRgsnyQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by bapt: URL: https://cgit.FreeBSD.org/ports/commit/?id=cc0e861e232dbc725446c5ce43506e50005cbf30 commit cc0e861e232dbc725446c5ce43506e50005cbf30 Author: Baptiste Daroussin AuthorDate: 2022-10-26 08:27:08 +0000 Commit: Baptiste Daroussin CommitDate: 2022-10-26 08:34:03 +0000 hardening: add relro and bind_now features As usual with features, this can be activated/deactivated via WITH/WITHOUT_ Each port can individually mark itself as not supporting the feature via _UNSAFE= --- Mk/Features/bind_now.mk | 10 ++++++++++ Mk/Features/relro.mk | 10 ++++++++++ Mk/bsd.port.mk | 2 +- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk new file mode 100644 index 000000000000..99361c487265 --- /dev/null +++ b/Mk/Features/bind_now.mk @@ -0,0 +1,10 @@ +# BIND_NOW Support + +.if !defined(_BIND_NOW_MK_INCLUDED) +_BIND_NOW_MK_INCLUDED= yes +BIND_NOW_Include_MAINTAINER= portmgr@FreeBSD.org + +. if !defined(BIND_NOW_UNSAFE) +LDFLAGS+= -Wl,-znow +. endif +.endif diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk new file mode 100644 index 000000000000..6ceb68d5d668 --- /dev/null +++ b/Mk/Features/relro.mk @@ -0,0 +1,10 @@ +# RELRO Support + +.if !defined(_RELRO_MK_INCLUDED) +_RELRO_MK_INCLUDED= yes +RELRO_Include_MAINTAINER= portmgr@FreeBSD.org + +. if !defined(RELRO_UNSAFE) +LDFLAGS+= -Wl,-zrelro +. endif +.endif diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk index 717a0efdee6f..1600ed176739 100644 --- a/Mk/bsd.port.mk +++ b/Mk/bsd.port.mk @@ -1017,7 +1017,7 @@ LC_ALL= C # These need to be absolute since we don't know how deep in the ports # tree we are and thus can't go relative. They can, of course, be overridden # by individual Makefiles or local system make configuration. -_LIST_OF_WITH_FEATURES= debug lto ssp pie +_LIST_OF_WITH_FEATURES= debug lto ssp pie relro bind_now _DEFAULT_WITH_FEATURES= ssp PORTSDIR?= /usr/ports LOCALBASE?= /usr/local