|
version 1.1, 2016/03/17 02:45:18
|
version 1.2, 2016/03/17 03:05:59
|
|
Line 14 in `mk.conf`, and consist of:
|
Line 14 in `mk.conf`, and consist of:
|
| * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported |
* `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported |
| platforms) |
platforms) |
| |
|
| |
# Caveats |
| |
|
| |
## Problems with `PKGSRC_MKPIE` |
| |
|
| |
### No support for cwrappers |
| |
|
| |
As of the time of this article `PKGSRC_MKPIE` is not supported by |
| |
`pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`). |
| |
|
| |
### Packages failing to build |
| |
|
| |
A number of packages may fail to build with this option enabled. The failures |
| |
are often related to the absence of the "-fPIC" compilation flag when building |
| |
libraries or executables (or ideally "-fPIE" in the latter case). This flag is |
| |
added to the `CFLAGS` already, but requires the package to actually support it. |
| |
|
| |
#### How to fix |
| |
|
| |
These instructions are meant as a reference only; they likely need to be adapted |
| |
for many packages individually. |
| |
|
| |
For packages using `Makefiles`: |
| |
|
| |
MAKE_FLAGS+= CFLAGS=${CFLAGS:Q} |
| |
MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q} |
| |
|
| |
For packages using `Imakefiles`: |
| |
|
| |
MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q} |
| |
MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q} |
| |
|
| |
### Run-time crashes |
| |
|
| |
Some programs may fail to run, or crash at random times once built as PIE. Two |
| |
scenarios are essentially possible: |
| |
|
| |
* actual bug in the program crashing, exposed thanks to ASLR/mprotect; |
| |
* bug in the implementation of ASLR/mprotect in the Operating System. |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc