PIE/PIC support on base
David Carlier
david.carlier at hardenedbsd.org
Thu Oct 16 18:21:46 UTC 2014
I chose the "atomic" approach, at the moment very few binaries are
concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed
libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if you
include <bsd.prog.pie.mk> (which include <bsd.prog.mk>...) otherwise other
binaries include <bsd.prog.mk> as usual hence does not apply. Look
reasonable approach ?
On Thu, Oct 16, 2014 at 10:35 AM, Jeremie Le Hen <jlh at freebsd.org> wrote:
> Hi David,
>
> On Tue, Oct 14, 2014 at 12:02 AM, David Carlier
> <david.carlier at hardenedbsd.org> wrote:
> > Hi all,
> >
> > HardenedBSD plans to add PIE support on base in various place.
> >
> > These are B. Drewery suggestions :
> >
> > The _pic ones are not needed. The main lib file just needs
> > INSTALL_PIC_ARCHIVE=yes.
> >
> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or
> > something to pull in common logic from share/mk.
> >
> > Also I know that, at least for a start, it wished to be applied in some
> few
> > places, like tcpdump/traceroute, sendmail ... shells ... I thought about
> > also casper/capsicum ... ntp ... jail
>
> Is it worth the time spent? I mean, what is the drawback of enabling
> PIE "world"-wide and provide a setting which can be used globally or
> per-lib/binary to override this? This is what I did back when SSP was
> introduced.
>
> Just to save one round trip in case someone answers that PIE binaries
> are slower: I think this claim needs a benchmark :).
>
> --
> Jeremie Le Hen
> jlh at FreeBSD.org
>
More information about the freebsd-arch
mailing list