|
version 1.47, 2021/04/06 10:36:45
|
version 1.48, 2021/10/01 15:48:03
|
|
Line 47 and therefore exposing these bugs.
|
Line 47 and therefore exposing these bugs.
|
| |
|
| Different mitigation levels are available: |
Different mitigation levels are available: |
| |
|
| * the default ("yes"), which will only protect functions considered vulnerable |
* "yes", which will only protect functions considered vulnerable |
| by the compiler; |
by the compiler; |
| * "all", which will protect every function; |
* "all", which will protect every function; |
| * "strong", which will apply a better balance between the two settings above. |
* "strong", the default, which will apply a better balance between the two settings above. |
| |
|
| This mitigation is supported by both GCC and clang. It may be supported in |
This mitigation is supported by both GCC and clang. It may be supported in |
| additional compilers, possibly under a different name. It is particularly useful |
additional compilers, possibly under a different name. It is particularly useful |
| for unsafe programming languages, such as C/C++. |
for unsafe programming languages, such as C/C++. |
| |
|
| It is enabled by default where known supported since pkgsrc-2017Q3. |
"yes" is enabled by default where known supported since pkgsrc-2017Q3. |
| |
"strong" is enabled by default where known supported since pkgsrc-2021Q4. |
| |
|
| More details can be found here: |
More details can be found here: |
| |
|
| * <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
* <https://en.wikipedia.org/wiki/Buffer_overflow_protection> |
| |
|
| ## Not enabled by default |
|
| |
|
| ### PKGSRC_MKPIE |
### PKGSRC_MKPIE |
| |
|
| This requests the creation of PIE (Position Independent Executables) for all |
This requests the creation of PIE (Position Independent Executables) for all |
|
Line 77 exploits harder to construct. With PIE,
|
Line 76 exploits harder to construct. With PIE,
|
| program, instead of the stack and heap only. |
program, instead of the stack and heap only. |
| |
|
| PIE executables will only be built for toolchains that are known to support PIE. |
PIE executables will only be built for toolchains that are known to support PIE. |
| Currently, this means NetBSD on amd64 and i386. |
Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS. |
| |
|
| ### PKGSRC_MKREPRO |
PKGSRC_MKPIE was enabled by default after the pkgsrc-2021Q3 branch. |
| |
|
| With this option, pkgsrc will try to build packages reproducibly. This allows |
|
| packages built from the same tree and with the same options, to produce |
|
| identical results bit by bit. This option should be combined with ASLR and |
|
| `PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to |
|
| exploit security vulnerabilities. |
|
| |
|
| More details can be found here: |
|
| |
|
| * <https://reproducible-builds.org/> |
|
| |
|
| ### PKGSRC_USE_RELRO |
### PKGSRC_USE_RELRO |
| |
|
|
Line 109 feature by default, at the "partial" lev
|
Line 99 feature by default, at the "partial" lev
|
| |
|
| More details can be found here: |
More details can be found here: |
| |
|
| |
* <https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro> |
| * <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
* <http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html> |
| |
|
| |
## Not enabled by default |
| |
|
| |
### PKGSRC_MKREPRO |
| |
|
| |
With this option, pkgsrc will try to build packages reproducibly. This allows |
| |
packages built from the same tree and with the same options, to produce |
| |
identical results bit by bit. This option should be combined with ASLR and |
| |
`PKGSRC_MKPIE` to avoid predictable address offsets for attackers attempting to |
| |
exploit security vulnerabilities. |
| |
|
| |
More details can be found here: |
| |
|
| |
* <https://reproducible-builds.org/> |
| |
|
| |
More work likely needs to be done before pkgsrc is fully reproducible. |
| |
|
| ### PKGSRC_USE_STACK_CHECK |
### PKGSRC_USE_STACK_CHECK |
| |
|
| This uses `-fstack-check` with GCC for another stack protection mitigation. |
This uses `-fstack-check` with GCC for another stack protection mitigation. |
|
Line 123 multi-threaded programs.
|
Line 130 multi-threaded programs.
|
| |
|
| ## Problems with `PKGSRC_MKPIE` |
## Problems with `PKGSRC_MKPIE` |
| |
|
| ### Recent support for cwrappers |
|
| |
|
| `PKGSRC_MKPIE` is only supported by `pkgtools/cwrappers` from the 2017Q3 |
|
| release on (`USE_CWRAPPERS` in `mk.conf`). |
|
| |
|
| ### Packages failing to build |
### Packages failing to build |
| |
|
| A number of packages may fail to build with this option enabled. The failures |
A number of packages may fail to build with this option enabled. The failures |
|
Line 153 For packages using `Imakefiles`:
|
Line 155 For packages using `Imakefiles`:
|
| ### Run-time crashes |
### Run-time crashes |
| |
|
| Some programs may fail to run, or crash at random times once built as PIE. Two |
Some programs may fail to run, or crash at random times once built as PIE. Two |
| scenarios are essentially possible: |
scenarios are essentially possible. This is nearly always due to a bug in |
| |
the program being exposed due to ASLR. |
| |
|
| * actual bug in the program crashing, exposed thanks to ASLR/mprotect; |
### Disabling PKGSRC_MKPIE on a per-package basis |
| * bug in the implementation of ASLR/mprotect in the Operating System. |
|
| |
Ideally, packages should be fixed for compatibility with MKPIE. |
| |
However, in some cases this is very difficult, due to complex build systems, |
| |
packages using non-standard toolchains, or programming languages with odd |
| |
bootstrapping mechanisms. |
| |
|
| |
To disable `PKGSRC_MKPIE` on a per-package basis, set `MKPIE_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. |
| |
|
| ## Problems with `PKGSRC_USE_FORTIFY` |
## Problems with `PKGSRC_USE_FORTIFY` |
| |
|
|
Line 208 initialization routine can run, and the
|
Line 217 initialization routine can run, and the
|
| them directly and abort as a result. Unfortunately, this is how Xorg loads its |
them directly and abort as a result. Unfortunately, this is how Xorg loads its |
| drivers. Partial RELRO can be applied instead in this case. |
drivers. Partial RELRO can be applied instead in this case. |
| |
|
| |
### Disabling RELRO on a per-package basis |
| |
|
| |
To disable RELRO on a per-package basis, set `RELRO_SUPPORTED= no` in the package's Makefile before `bsd.prefs.mk` is included. |
| |
|
| ## Problems with `PKGSRC_USE_SSP` |
## Problems with `PKGSRC_USE_SSP` |
| |
|
| ### Packages failing to build |
### Packages failing to build |
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc