ports/138228: [ports] New opt-in knob to compile ports with SSP

Thu Aug 27 07:30:03 UTC 2009

>Number:         138228
>Category:       ports
>Synopsis:       [ports] New opt-in knob to compile ports with SSP
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 27 07:30:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Jeremie Le Hen
>Release:        FreeBSD
>Organization:
None
>Environment:
System: FreeBSD felucia.tataz.chchile.org

>Description:
	The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
	will add -fstack-protector to CFLAGS.  I've chosen this name to
	not conflict with WITH_SSP that affects src/ build.

	This is a great win in term of security and follows the trail
	of FreeBSD-8.0 which is now compiled with SSP (opt-out).

	Although most of the ports build smoothly with this knob turned on,
	few of them won't build out of the box.  With kan@'s recent change
	to put SSP symbols in libssp_static.a instead of libc,
	-fstack-protector must be provided explicitely at link time.
	lang/perl-5.* for instance have to be slightly modified to be built
	with SSP as it does not pay attention to LDFLAGS.
	You will find another patch attached for lang/perl* as well.

	I don't have the power and time necessary to test and fix every
	ports, but given this is an opt-in I think we could live with this
	and let patches trickle in the ports tree.

--- WITH_SSP_PORTS.patch begins here ---
Index: Mk/bsd.port.mk
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/Mk/bsd.port.mk,v
retrieving revision 1.626
diff -u -p -u -r1.626 bsd.port.mk
--- Mk/bsd.port.mk	22 Aug 2009 19:32:48 -0000	1.626
+++ Mk/bsd.port.mk	26 Aug 2009 22:33:25 -0000
@@ -1629,6 +1629,12 @@ CFLAGS:=	${CFLAGS:C/${_CPUCFLAGS}//}
 .endif
 .endif
 
+.if defined(WITH_SSP_PORTS)
+SSP_FLAGS?=		-fstack-protector
+CFLAGS:=		${CFLAGS} ${SSP_FLAGS}
+LDFLAGS:=		${LDFLAGS} -fstack-protector
+.endif
+
 .if defined(WITH_DEBUG) && !defined(WITHOUT_DEBUG)
 STRIP=	#none
 STRIP_CMD=	${TRUE}
--- WITH_SSP_PORTS.patch ends here ---

--- WITH_SSP_PORTS_lang_perl.patch begins here ---
Index: lang/perl5.10/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.10/Makefile,v
retrieving revision 1.112
diff -u -p -u -r1.112 Makefile
--- lang/perl5.10/Makefile	6 Jul 2009 12:16:07 -0000	1.112
+++ lang/perl5.10/Makefile	26 Aug 2009 22:26:43 -0000
@@ -86,6 +86,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
Index: lang/perl5.8/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.8/Makefile,v
retrieving revision 1.108
diff -u -p -u -r1.108 Makefile
--- lang/perl5.8/Makefile	7 Aug 2009 11:03:10 -0000	1.108
+++ lang/perl5.8/Makefile	26 Aug 2009 22:26:52 -0000
@@ -89,6 +89,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
--- WITH_SSP_PORTS_lang_perl.patch ends here ---


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

