git: 396e9f259d96 - stable/13 - Enable PIE by default on 64-bit architectures

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Marcin Wojtas <mw_at_FreeBSD.org>
Date: Sun, 23 Jan 2022 10:25:44 UTC
The branch stable/13 has been updated by mw:

URL: https://cgit.FreeBSD.org/src/commit/?id=396e9f259d9629c5f5fa8dd65d39d21621af30fc

commit 396e9f259d9629c5f5fa8dd65d39d21621af30fc
Author:     Marcin Wojtas <mw@FreeBSD.org>
AuthorDate: 2021-01-22 12:13:03 +0000
Commit:     Marcin Wojtas <mw@FreeBSD.org>
CommitDate: 2022-01-23 10:09:54 +0000

    Enable PIE by default on 64-bit architectures
    
    This patch adds Position Independent Executables (PIE)
    flags for building OS. It allows to enable the ASLR
    feature based only on the sysctl knobs, without
    need to rebuild the image. Tests showed that
    no problems with stability / performance degradation
    were seen when using PIEs with ASLR disabled.
    
    The change is limited only for 64-bit architectures.
    
    Use bsd.opts.mk instead of the src.opts.mk in order
    to satisfy all build dependencies related to MK_PIE.
    
    Reviewed by: emaste, imp
    Obtained from: Semihalf
    Sponsored by: Stormshield
    Differential Revision: https://reviews.freebsd.org/D28328
    
    (cherry picked from commit 9a227a2fd642ec057a0ec70d67d5699d65553294)
---
 share/mk/bsd.opts.mk | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index 934f3d36df77..33d843593427 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -75,7 +75,6 @@ __DEFAULT_NO_OPTIONS = \
     INIT_ALL_PATTERN \
     INIT_ALL_ZERO \
     INSTALL_AS_USER \
-    PIE \
     MANSPLITPKG \
     RETPOLINE \
     STALE_STAGED
@@ -86,6 +85,21 @@ __DEFAULT_DEPENDENT_OPTIONS = \
     STAGING_PROG/STAGING \
     STALE_STAGED/STAGING \
 
+#
+# Default to disabling PIE on 32-bit architectures. The small address space
+# means that ASLR is of limited effectiveness, and it may cause issues with
+# some memory-hungry workloads.
+#
+.if ${MACHINE_ARCH} == "armv6" || ${MACHINE_ARCH} == "armv7" \
+    || ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "mips" \
+    || ${MACHINE_ARCH} == "mipsel" || ${MACHINE_ARCH} == "mipselhf" \
+    || ${MACHINE_ARCH} == "mipshf" || ${MACHINE_ARCH} == "mipsn32" \
+    || ${MACHINE_ARCH} == "mipsn32el" || ${MACHINE_ARCH} == "powerpc" \
+    || ${MACHINE_ARCH} == "powerpcspe"
+__DEFAULT_NO_OPTIONS+= PIE
+.else
+__DEFAULT_YES_OPTIONS+=PIE
+.endif
 
 .include <bsd.mkopt.mk>