Diff for /wikisrc/pkgsrc/hardening.mdwn between versions 1.47 and 1.48

version 1.47, 2021/04/06 10:36:45 version 1.48, 2021/10/01 15:48:03
Line 47  and therefore exposing these bugs. Line 47  and therefore exposing these bugs.
   
 Different mitigation levels are available:  Different mitigation levels are available:
   
 * the default ("yes"), which will only protect functions considered vulnerable  * "yes", which will only protect functions considered vulnerable
   by the compiler;    by the compiler;
 * "all", which will protect every function;  * "all", which will protect every function;
 * "strong", which will apply a better balance between the two settings above.  * "strong", the default, which will apply a better balance between the two settings above.
   
 This mitigation is supported by both GCC and clang. It may be supported in  This mitigation is supported by both GCC and clang. It may be supported in
 additional compilers, possibly under a different name. It is particularly useful  additional compilers, possibly under a different name. It is particularly useful
 for unsafe programming languages, such as C/C++.  for unsafe programming languages, such as C/C++.
   
 It is enabled by default where known supported since pkgsrc-2017Q3.  "yes" is enabled by default where known supported since pkgsrc-2017Q3.
   "strong" is enabled by default where known supported since pkgsrc-2021Q4.
   
 More details can be found here:  More details can be found here:
   
 * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>  * <https://en.wikipedia.org/wiki/Buffer_overflow_protection>
   
 ## Not enabled by default  
   
 ### PKGSRC_MKPIE  ### PKGSRC_MKPIE
   
 This requests the creation of PIE (Position Independent Executables) for all  This requests the creation of PIE (Position Independent Executables) for all
Line 77  exploits harder to construct. With PIE,  Line 76  exploits harder to construct. With PIE, 
 program, instead of the stack and heap only.  program, instead of the stack and heap only.
   
 PIE executables will only be built for toolchains that are known to support PIE.  PIE executables will only be built for toolchains that are known to support PIE.
 Currently, this means NetBSD on amd64 and i386.  Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS.
   
 ### PKGSRC_MKREPRO  PKGSRC_MKPIE was enabled by default after the pkgsrc-2021Q3 branch.
   
 With this option, pkgsrc will try to build packages reproducibly. This allows  
 packages built from the same tree and with the same options, to produce  
 identical results bit by bit. This option should be combined with ASLR and  
 `PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to  
 exploit security vulnerabilities.  
   
 More details can be found here:  
   
 * <https://reproducible-builds.org/>  
   
 ### PKGSRC_USE_RELRO  ### PKGSRC_USE_RELRO
   
Line 109  feature by default, at the "partial" lev Line 99  feature by default, at the "partial" lev
   
 More details can be found here:  More details can be found here:
   
   * <https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro>
 * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>  * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html>
   
   ## Not enabled by default
   
   ### PKGSRC_MKREPRO
   
   With this option, pkgsrc will try to build packages reproducibly. This allows
   packages built from the same tree and with the same options, to produce
   identical results bit by bit. This option should be combined with ASLR and
   `PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to
   exploit security vulnerabilities.
   
   More details can be found here:
   
   * <https://reproducible-builds.org/>
   
   More work likely needs to be done before pkgsrc is fully reproducible.
   
 ### PKGSRC_USE_STACK_CHECK  ### PKGSRC_USE_STACK_CHECK
   
 This uses `-fstack-check` with GCC for another stack protection mitigation.  This uses `-fstack-check` with GCC for another stack protection mitigation.
Line 123  multi-threaded programs. Line 130  multi-threaded programs.
   
 ## Problems with `PKGSRC_MKPIE`  ## Problems with `PKGSRC_MKPIE`
   
 ### Recent support for cwrappers  
   
 `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3  
 release on (`USE_CWRAPPERS` in `mk.conf`).  
   
 ### Packages failing to build  ### Packages failing to build
   
 A number of packages may fail to build with this option enabled. The failures  A number of packages may fail to build with this option enabled. The failures
Line 153  For packages using `Imakefiles`: Line 155  For packages using `Imakefiles`:
 ### Run-time crashes  ### Run-time crashes
   
 Some programs may fail to run, or crash at random times once built as PIE. Two  Some programs may fail to run, or crash at random times once built as PIE. Two
 scenarios are essentially possible:  scenarios are essentially possible. This is nearly always due to a bug in
   the program being exposed due to ASLR.
   
 * actual bug in the program crashing, exposed thanks to ASLR/mprotect;  ### Disabling PKGSRC_MKPIE on a per-package basis
 * bug in the implementation of ASLR/mprotect in the Operating System.  
   Ideally, packages should be fixed for compatibility with MKPIE.
   However, in some cases this is very difficult, due to complex build systems,
   packages using non-standard toolchains, or programming languages with odd
   bootstrapping mechanisms.
   
   To disable `PKGSRC_MKPIE` on a per-package basis, set `MKPIE_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included.
   
 ## Problems with `PKGSRC_USE_FORTIFY`  ## Problems with `PKGSRC_USE_FORTIFY`
   
Line 208  initialization routine can run, and the  Line 217  initialization routine can run, and the 
 them directly and abort as a result. Unfortunately, this is how Xorg loads its  them directly and abort as a result. Unfortunately, this is how Xorg loads its
 drivers. Partial RELRO can be applied instead in this case.  drivers. Partial RELRO can be applied instead in this case.
   
   ### Disabling RELRO on a per-package basis
   
   To disable RELRO on a per-package basis, set `RELRO_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included.
   
 ## Problems with `PKGSRC_USE_SSP`  ## Problems with `PKGSRC_USE_SSP`
   
 ### Packages failing to build  ### Packages failing to build

Removed from v.1.47  
changed lines
  Added in v.1.48


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb