ports/138228: [ports] New opt-in knob to compile ports with SSP
Jeremie Le Hen
jeremie at le-hen.org
Thu Aug 27 07:30:03 UTC 2009
>Number: 138228
>Category: ports
>Synopsis: [ports] New opt-in knob to compile ports with SSP
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 27 07:30:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Jeremie Le Hen
>Release: FreeBSD
>Organization:
None
>Environment:
System: FreeBSD felucia.tataz.chchile.org
>Description:
The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
will add -fstack-protector to CFLAGS. I've chosen this name to
not conflict with WITH_SSP that affects src/ build.
This is a great win in term of security and follows the trail
of FreeBSD-8.0 which is now compiled with SSP (opt-out).
Although most of the ports build smoothly with this knob turned on,
few of them won't build out of the box. With kan@'s recent change
to put SSP symbols in libssp_static.a instead of libc,
-fstack-protector must be provided explicitely at link time.
lang/perl-5.* for instance have to be slightly modified to be built
with SSP as it does not pay attention to LDFLAGS.
You will find another patch attached for lang/perl* as well.
I don't have the power and time necessary to test and fix every
ports, but given this is an opt-in I think we could live with this
and let patches trickle in the ports tree.
--- WITH_SSP_PORTS.patch begins here ---
Index: Mk/bsd.port.mk
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/Mk/bsd.port.mk,v
retrieving revision 1.626
diff -u -p -u -r1.626 bsd.port.mk
--- Mk/bsd.port.mk 22 Aug 2009 19:32:48 -0000 1.626
+++ Mk/bsd.port.mk 26 Aug 2009 22:33:25 -0000
@@ -1629,6 +1629,12 @@ CFLAGS:= ${CFLAGS:C/${_CPUCFLAGS}//}
.endif
.endif
+.if defined(WITH_SSP_PORTS)
+SSP_FLAGS?= -fstack-protector
+CFLAGS:= ${CFLAGS} ${SSP_FLAGS}
+LDFLAGS:= ${LDFLAGS} -fstack-protector
+.endif
+
.if defined(WITH_DEBUG) && !defined(WITHOUT_DEBUG)
STRIP= #none
STRIP_CMD= ${TRUE}
--- WITH_SSP_PORTS.patch ends here ---
--- WITH_SSP_PORTS_lang_perl.patch begins here ---
Index: lang/perl5.10/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.10/Makefile,v
retrieving revision 1.112
diff -u -p -u -r1.112 Makefile
--- lang/perl5.10/Makefile 6 Jul 2009 12:16:07 -0000 1.112
+++ lang/perl5.10/Makefile 26 Aug 2009 22:26:43 -0000
@@ -86,6 +86,10 @@ STRIP_CMD= ${TRUE}
CONFIGURE_ARGS+= -Doptimize="${CFLAGS}"
.endif
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+= -A append:ldflags=-fstack-protector
+.endif
+
.if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
CONFIGURE_ARGS+= -Dd_dosuid=define
PLIST_SUB+= SUIDPERL=""
Index: lang/perl5.8/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.8/Makefile,v
retrieving revision 1.108
diff -u -p -u -r1.108 Makefile
--- lang/perl5.8/Makefile 7 Aug 2009 11:03:10 -0000 1.108
+++ lang/perl5.8/Makefile 26 Aug 2009 22:26:52 -0000
@@ -89,6 +89,10 @@ STRIP_CMD= ${TRUE}
CONFIGURE_ARGS+= -Doptimize="${CFLAGS}"
.endif
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+= -A append:ldflags=-fstack-protector
+.endif
+
.if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
CONFIGURE_ARGS+= -Dd_dosuid=define
PLIST_SUB+= SUIDPERL=""
--- WITH_SSP_PORTS_lang_perl.patch ends here ---
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list