Diff for /wikisrc/pkgsrc/hardening.mdwn between versions 1.24 and 1.25

version 1.24, 2017/11/06 00:04:07 version 1.25, 2017/11/07 01:49:31
Line 8  about detecting and fixing problems. Line 8  about detecting and fixing problems.
 # Mechanisms  # Mechanisms
   
 Mechanisms can be enabled individually in `mk.conf`, and are  Mechanisms can be enabled individually in `mk.conf`, and are
 individually described below.  They are sorted by whether thery are  individually described below. They are sorted by whether thery are
 enabled by default, and then by their ordering in mk/defaults/mk.conf.  enabled by default, and then by their ordering in mk/defaults/mk.conf.
   
 Typically, a feature will cause some programs to fail to build or work  Typically, a feature will cause some programs to fail to build or work
 when first enabled.  This can be due to latent problems in the  when first enabled. This can be due to latent problems in the
 program, and can be due to other reasons.  After enough testing to  program, and can be due to other reasons. After enough testing to
 have confidence that user problems will be quite rare, individual  have confidence that user problems will be quite rare, individual
 mechanisms will be enabled by default.  mechanisms will be enabled by default.
   
Line 29  This allows substitute wrappers to be us Line 29  This allows substitute wrappers to be us
 library functions that do not have built-in bounds checking - but  library functions that do not have built-in bounds checking - but
 could in some cases.  could in some cases.
   
 TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used.  Give a link  TODO: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link
 to a good explanation of the technique.  Explain if this is gcc specific.  to a good explanation of the technique. Explain if this is gcc specific.
   
 It has been enabled by default since pkgsrc-2017Q3.  It has been enabled by default since pkgsrc-2017Q3.
   
Line 38  It has been enabled by default since pkg Line 38  It has been enabled by default since pkg
   
 This enables a stack-smashing protection mitigation.  This enables a stack-smashing protection mitigation.
   
 TODO: Give a link to a good explanation.  Explain if this is gcc  TODO: Give a link to a good explanation. Explain if this is gcc
 specific or also works with other compilers.  Explain if it is C/C++ only.  specific or also works with other compilers. Explain if it is C/C++ only.
   
 It is enabled by default where known supported since pkgsrc-2017Q3.  It is enabled by default where known supported since pkgsrc-2017Q3.
   
Line 50  It is enabled by default where known sup Line 50  It is enabled by default where known sup
 ### PKGSRC_MKPIE  ### PKGSRC_MKPIE
   
 This requests the the creation of PIE (Position Independent  This requests the the creation of PIE (Position Independent
 Executables) for all executables.  The PIE mechanism is normally used  Executables) for all executables. The PIE mechanism is normally used
 for shared libraries so that they can be loaded at differing addresses  for shared libraries so that they can be loaded at differing addresses
 at runtime.  PIE itself does not have useful security properties.  at runtime. PIE itself does not have useful security properties.
 However, some operating systems support Address Space Layout  However, some operating systems support Address Space Layout
 Randomization (ASLR), which causes different addresses to be used each  Randomization (ASLR), which causes different addresses to be used each
 time a program is run.  This makes it more difficult for an attacker  time a program is run. This makes it more difficult for an attacker
 to guess addresses and thus makes exploits harder to construct.  to guess addresses and thus makes exploits harder to construct.
   
 TODO/check: PIE executables will only be built for toolchains that  TODO/check: PIE executables will only be built for toolchains that
 support PIE and operating systems known to support ASLR.  Currently,  support PIE and operating systems known to support ASLR. Currently,
 this means NetBSD 8 and later, i386 and amd64.  this means NetBSD 8 and later, i386 and amd64.
   
 ### PKGSRC_USE_RELRO  ### PKGSRC_USE_RELRO

Removed from v.1.24  
changed lines
  Added in v.1.25


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb