version 1.24, 2017/11/06 00:04:07
|
version 1.25, 2017/11/07 01:49:31
|
Line 8 about detecting and fixing problems.
|
Line 8 about detecting and fixing problems.
|
# Mechanisms |
# Mechanisms |
|
|
Mechanisms can be enabled individually in `mk.conf`, and are |
Mechanisms can be enabled individually in `mk.conf`, and are |
individually described below. They are sorted by whether thery are |
individually described below. They are sorted by whether thery are |
enabled by default, and then by their ordering in mk/defaults/mk.conf. |
enabled by default, and then by their ordering in mk/defaults/mk.conf. |
|
|
Typically, a feature will cause some programs to fail to build or work |
Typically, a feature will cause some programs to fail to build or work |
when first enabled. This can be due to latent problems in the |
when first enabled. This can be due to latent problems in the |
program, and can be due to other reasons. After enough testing to |
program, and can be due to other reasons. After enough testing to |
have confidence that user problems will be quite rare, individual |
have confidence that user problems will be quite rare, individual |
mechanisms will be enabled by default. |
mechanisms will be enabled by default. |
|
|
Line 29 This allows substitute wrappers to be us
|
Line 29 This allows substitute wrappers to be us
|
library functions that do not have built-in bounds checking - but |
library functions that do not have built-in bounds checking - but |
could in some cases. |
could in some cases. |
|
|
TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link |
TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link |
to a good explanation of the technique. Explain if this is gcc specific. |
to a good explanation of the technique. Explain if this is gcc specific. |
|
|
It has been enabled by default since pkgsrc-2017Q3. |
It has been enabled by default since pkgsrc-2017Q3. |
|
|
Line 38 It has been enabled by default since pkg
|
Line 38 It has been enabled by default since pkg
|
|
|
This enables a stack-smashing protection mitigation. |
This enables a stack-smashing protection mitigation. |
|
|
TODO: Give a link to a good explanation. Explain if this is gcc |
TODO: Give a link to a good explanation. Explain if this is gcc |
specific or also works with other compilers. Explain if it is C/C++ only. |
specific or also works with other compilers. Explain if it is C/C++ only. |
|
|
It is enabled by default where known supported since pkgsrc-2017Q3. |
It is enabled by default where known supported since pkgsrc-2017Q3. |
|
|
Line 50 It is enabled by default where known sup
|
Line 50 It is enabled by default where known sup
|
### PKGSRC_MKPIE |
### PKGSRC_MKPIE |
|
|
This requests the the creation of PIE (Position Independent |
This requests the the creation of PIE (Position Independent |
Executables) for all executables. The PIE mechanism is normally used |
Executables) for all executables. The PIE mechanism is normally used |
for shared libraries so that they can be loaded at differing addresses |
for shared libraries so that they can be loaded at differing addresses |
at runtime. PIE itself does not have useful security properties. |
at runtime. PIE itself does not have useful security properties. |
However, some operating systems support Address Space Layout |
However, some operating systems support Address Space Layout |
Randomization (ASLR), which causes different addresses to be used each |
Randomization (ASLR), which causes different addresses to be used each |
time a program is run. This makes it more difficult for an attacker |
time a program is run. This makes it more difficult for an attacker |
to guess addresses and thus makes exploits harder to construct. |
to guess addresses and thus makes exploits harder to construct. |
|
|
TODO/check: PIE executables will only be built for toolchains that |
TODO/check: PIE executables will only be built for toolchains that |
support PIE and operating systems known to support ASLR. Currently, |
support PIE and operating systems known to support ASLR. Currently, |
this means NetBSD 8 and later, i386 and amd64. |
this means NetBSD 8 and later, i386 and amd64. |
|
|
### PKGSRC_USE_RELRO |
### PKGSRC_USE_RELRO |