--- wikisrc/pkgsrc/hardening.mdwn 2021/04/06 10:36:45 1.47 +++ wikisrc/pkgsrc/hardening.mdwn 2021/10/01 15:48:03 1.48 @@ -47,23 +47,22 @@ and therefore exposing these bugs. Different mitigation levels are available: -* the default ("yes"), which will only protect functions considered vulnerable +* "yes", which will only protect functions considered vulnerable by the compiler; * "all", which will protect every function; -* "strong", which will apply a better balance between the two settings above. +* "strong", the default, which will apply a better balance between the two settings above. This mitigation is supported by both GCC and clang. It may be supported in additional compilers, possibly under a different name. It is particularly useful for unsafe programming languages, such as C/C++. -It is enabled by default where known supported since pkgsrc-2017Q3. +"yes" is enabled by default where known supported since pkgsrc-2017Q3. +"strong" is enabled by default where known supported since pkgsrc-2021Q4. More details can be found here: * -## Not enabled by default - ### PKGSRC_MKPIE This requests the creation of PIE (Position Independent Executables) for all @@ -77,19 +76,10 @@ exploits harder to construct. With PIE, program, instead of the stack and heap only. PIE executables will only be built for toolchains that are known to support PIE. -Currently, this means NetBSD on amd64 and i386. +Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS. -### PKGSRC_MKREPRO +PKGSRC_MKPIE was enabled by default after the pkgsrc-2021Q3 branch. -With this option, pkgsrc will try to build packages reproducibly. This allows -packages built from the same tree and with the same options, to produce -identical results bit by bit. This option should be combined with ASLR and -`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to -exploit security vulnerabilities. - -More details can be found here: - -* ### PKGSRC_USE_RELRO @@ -109,8 +99,25 @@ feature by default, at the "partial" lev More details can be found here: +* * +## Not enabled by default + +### PKGSRC_MKREPRO + +With this option, pkgsrc will try to build packages reproducibly. This allows +packages built from the same tree and with the same options, to produce +identical results bit by bit. This option should be combined with ASLR and +`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to +exploit security vulnerabilities. + +More details can be found here: + +* + +More work likely needs to be done before pkgsrc is fully reproducible. + ### PKGSRC_USE_STACK_CHECK This uses `-fstack-check` with GCC for another stack protection mitigation. @@ -123,11 +130,6 @@ multi-threaded programs. ## Problems with `PKGSRC_MKPIE` -### Recent support for cwrappers - -`PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3 -release on (`USE_CWRAPPERS` in `mk.conf`). - ### Packages failing to build A number of packages may fail to build with this option enabled. The failures @@ -153,10 +155,17 @@ For packages using `Imakefiles`: ### Run-time crashes Some programs may fail to run, or crash at random times once built as PIE. Two -scenarios are essentially possible: +scenarios are essentially possible. This is nearly always due to a bug in +the program being exposed due to ASLR. -* actual bug in the program crashing, exposed thanks to ASLR/mprotect; -* bug in the implementation of ASLR/mprotect in the Operating System. +### Disabling PKGSRC_MKPIE on a per-package basis + +Ideally, packages should be fixed for compatibility with MKPIE. +However, in some cases this is very difficult, due to complex build systems, +packages using non-standard toolchains, or programming languages with odd +bootstrapping mechanisms. + +To disable `PKGSRC_MKPIE` on a per-package basis, set `MKPIE_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. ## Problems with `PKGSRC_USE_FORTIFY` @@ -208,6 +217,10 @@ initialization routine can run, and the them directly and abort as a result. Unfortunately, this is how Xorg loads its drivers. Partial RELRO can be applied instead in this case. +### Disabling RELRO on a per-package basis + +To disable RELRO on a per-package basis, set `RELRO_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. + ## Problems with `PKGSRC_USE_SSP` ### Packages failing to build