version 1.47, 2021/04/06 10:36:45
|
version 1.48, 2021/10/01 15:48:03
|
Line 47 and therefore exposing these bugs.
|
Line 47 and therefore exposing these bugs.
|
|
|
Different mitigation levels are available: |
Different mitigation levels are available: |
|
|
* the default ("yes"), which will only protect functions considered vulnerable |
* "yes", which will only protect functions considered vulnerable |
by the compiler; |
by the compiler; |
* "all", which will protect every function; |
* "all", which will protect every function; |
* "strong", which will apply a better balance between the two settings above. |
* "strong", the default, which will apply a better balance between the two settings above. |
|
|
This mitigation is supported by both GCC and clang. It may be supported in |
This mitigation is supported by both GCC and clang. It may be supported in |
additional compilers, possibly under a different name. It is particularly useful |
additional compilers, possibly under a different name. It is particularly useful |
for unsafe programming languages, such as C/C++. |
for unsafe programming languages, such as C/C++. |
|
|
It is enabled by default where known supported since pkgsrc-2017Q3. |
"yes" is enabled by default where known supported since pkgsrc-2017Q3. |
|
"strong" is enabled by default where known supported since pkgsrc-2021Q4. |
|
|
More details can be found here: |
More details can be found here: |
|
|
* <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
* <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
|
|
## Not enabled by default |
|
|
|
### PKGSRC_MKPIE |
### PKGSRC_MKPIE |
|
|
This requests the creation of PIE (Position Independent Executables) for all |
This requests the creation of PIE (Position Independent Executables) for all |
Line 77 exploits harder to construct. With PIE,
|
Line 76 exploits harder to construct. With PIE,
|
program, instead of the stack and heap only. |
program, instead of the stack and heap only. |
|
|
PIE executables will only be built for toolchains that are known to support PIE. |
PIE executables will only be built for toolchains that are known to support PIE. |
Currently, this means NetBSD on amd64 and i386. |
Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS. |
|
|
### PKGSRC_MKREPRO |
PKGSRC_MKPIE was enabled by default after the pkgsrc-2021Q3 branch. |
|
|
With this option, pkgsrc will try to build packages reproducibly. This allows |
|
packages built from the same tree and with the same options, to produce |
|
identical results bit by bit. This option should be combined with ASLR and |
|
`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to |
|
exploit security vulnerabilities. |
|
|
|
More details can be found here: |
|
|
|
* <https://reproducible-builds.org/> |
|
|
|
### PKGSRC_USE_RELRO |
### PKGSRC_USE_RELRO |
|
|
Line 109 feature by default, at the "partial" lev
|
Line 99 feature by default, at the "partial" lev
|
|
|
More details can be found here: |
More details can be found here: |
|
|
|
* <https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro> |
* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
|
|
|
## Not enabled by default |
|
|
|
### PKGSRC_MKREPRO |
|
|
|
With this option, pkgsrc will try to build packages reproducibly. This allows |
|
packages built from the same tree and with the same options, to produce |
|
identical results bit by bit. This option should be combined with ASLR and |
|
`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to |
|
exploit security vulnerabilities. |
|
|
|
More details can be found here: |
|
|
|
* <https://reproducible-builds.org/> |
|
|
|
More work likely needs to be done before pkgsrc is fully reproducible. |
|
|
### PKGSRC_USE_STACK_CHECK |
### PKGSRC_USE_STACK_CHECK |
|
|
This uses `-fstack-check` with GCC for another stack protection mitigation. |
This uses `-fstack-check` with GCC for another stack protection mitigation. |
Line 123 multi-threaded programs.
|
Line 130 multi-threaded programs.
|
|
|
## Problems with `PKGSRC_MKPIE` |
## Problems with `PKGSRC_MKPIE` |
|
|
### Recent support for cwrappers |
|
|
|
`PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3 |
|
release on (`USE_CWRAPPERS` in `mk.conf`). |
|
|
|
### Packages failing to build |
### Packages failing to build |
|
|
A number of packages may fail to build with this option enabled. The failures |
A number of packages may fail to build with this option enabled. The failures |
Line 153 For packages using `Imakefiles`:
|
Line 155 For packages using `Imakefiles`:
|
### Run-time crashes |
### Run-time crashes |
|
|
Some programs may fail to run, or crash at random times once built as PIE. Two |
Some programs may fail to run, or crash at random times once built as PIE. Two |
scenarios are essentially possible: |
scenarios are essentially possible. This is nearly always due to a bug in |
|
the program being exposed due to ASLR. |
|
|
* actual bug in the program crashing, exposed thanks to ASLR/mprotect; |
### Disabling PKGSRC_MKPIE on a per-package basis |
* bug in the implementation of ASLR/mprotect in the Operating System. |
|
|
Ideally, packages should be fixed for compatibility with MKPIE. |
|
However, in some cases this is very difficult, due to complex build systems, |
|
packages using non-standard toolchains, or programming languages with odd |
|
bootstrapping mechanisms. |
|
|
|
To disable `PKGSRC_MKPIE` on a per-package basis, set `MKPIE_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. |
|
|
## Problems with `PKGSRC_USE_FORTIFY` |
## Problems with `PKGSRC_USE_FORTIFY` |
|
|
Line 208 initialization routine can run, and the
|
Line 217 initialization routine can run, and the
|
them directly and abort as a result. Unfortunately, this is how Xorg loads its |
them directly and abort as a result. Unfortunately, this is how Xorg loads its |
drivers. Partial RELRO can be applied instead in this case. |
drivers. Partial RELRO can be applied instead in this case. |
|
|
|
### Disabling RELRO on a per-package basis |
|
|
|
To disable RELRO on a per-package basis, set `RELRO_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. |
|
|
## Problems with `PKGSRC_USE_SSP` |
## Problems with `PKGSRC_USE_SSP` |
|
|
### Packages failing to build |
### Packages failing to build |