Diff for /wikisrc/pkgsrc/hardening.mdwn between versions 1.4 and 1.49

version 1.4, 2016/03/17 03:19:17 version 1.49, 2021/10/02 14:48:27
Line 1 Line 1
 [[!meta title="Hardening pkgsrc"]]  This page has been moved to [the pkgsrc guide](//www.NetBSD.org/docs/pkgsrc/hardening.html).
   
 [pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant  
 to improve the security of compiled binaries. They can be individually enabled  
 in `mk.conf`, and consist of:  
   
 * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent  
   Executables) when supported on the current platform. This option is necessary  
   to fully leverage ASLR as a mitigation for security vulnerabilities.  
 * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used  
   functions that do not bounds checking regularly - but could in some cases.  
 * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security  
   vulnerabilities more difficult in some cases.  
 * `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported  
   platforms)  
   
 # Caveats  
   
 ## Problems with `PKGSRC_MKPIE`  
   
 ### No support for cwrappers  
   
 As of the time of this article `PKGSRC_MKPIE` is not supported by  
 `pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).  
   
 ### Packages failing to build  
   
 A number of packages may fail to build with this option enabled. The failures  
 are often related to the absence of the "-fPIC" compilation flag when building  
 libraries or executables (or ideally "-fPIE" in the latter case). This flag is  
 added to the `CFLAGS` already, but requires the package to actually support it.  
   
 #### How to fix  
   
 These instructions are meant as a reference only; they likely need to be adapted  
 for many packages individually.  
   
 For packages using `Makefiles`:  
   
     MAKE_FLAGS+=        CFLAGS=${CFLAGS:Q}  
     MAKE_FLAGS+=        LDFLAGS=${LDFLAGS:Q}  
   
 For packages using `Imakefiles`:  
   
     MAKE_FLAGS+=        CCOPTIONS=${CFLAGS:Q}  
     MAKE_FLAGS+=        LOCAL_LDFLAGS=${LDFLAGS:Q}  
   
 ### Run-time crashes  
   
 Some programs may fail to run, or crash at random times once built as PIE. Two  
 scenarios are essentially possible:  
   
 * actual bug in the program crashing, exposed thanks to ASLR/mprotect;  
 * bug in the implementation of ASLR/mprotect in the Operating System.  
   
 ## Problems with `PKGSRC_USE_FORTIFY`  
   
 ### Packages failing to build  
   
 This feature makes use of pre-processing directives to look for hardened,  
 alternative implementations of essential library calls. Some programs may fail  
 to build as a result; this usually happens for those trying too hard to be  
 portable, or otherwise abusing definitions in the standard library.  
   
 This will require a modification to the program, or disabling this feature for  
 part or all of the build.  
   
 ### Run-time crashes  
   
 Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to  
 crash, usually indicating an actual bug in the program. The fix will typically  
 involve patching the original program.  
   
 ## Problems with `PKGSRC_USE_SSP`  
   
 ### Packages failing to build  
   
 The stack-smashing protection provided by this option does not work for some  
 programs. The two most common situations in which this happens are:  
   
 * the program makes use of the `alloca(3)` library call (memory allocator on the  
   stack)  
 * the program allocates variables on the stack, with the size determined at  
   run-time.  
   
 Both cases will require a modification to the program, or disabling this feature  
 for part or all of the build.  
   
 ### Run-time crashes  
   
 Again, this feature may cause some programs to crash, usually indicating an  
 actual bug in the program. Patching the original program is then required.  
   

Removed from v.1.4  
changed lines
  Added in v.1.49


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb