git: 055b4d7d2079 - 2025Q3 - dns/dnsmasq: harden build

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Tue, 16 Sep 2025 09:54:52 UTC
The branch 2025Q3 has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=055b4d7d20799b91d4a69c757c3d710f9d25da77

commit 055b4d7d20799b91d4a69c757c3d710f9d25da77
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-09-16 09:30:55 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-09-16 09:54:36 +0000

    dns/dnsmasq: harden build
    
    MFH:            2025Q3
    (cherry picked from commit 421cd1ecf286ff832c18d9c77e220fdad6f8bfb7)
---
 dns/dnsmasq/Makefile | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile
index 027ec8c2b4a2..2c34b08f2547 100644
--- a/dns/dnsmasq/Makefile
+++ b/dns/dnsmasq/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	dnsmasq
 DISTVERSION=	2.91
 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps:
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	dns
 MASTER_SITES=	https://www.thekelleys.org.uk/dnsmasq/ \
@@ -13,7 +13,7 @@ WWW=		https://www.thekelleys.org.uk/dnsmasq/doc.html
 
 LICENSE=	GPLv2
 
-USES=		cpe shebangfix tar:xz
+USES=		compiler cpe shebangfix tar:xz
 CPE_VENDOR=	thekelleys
 
 SHEBANG_FILES=	contrib/dnslist/dnslist.pl \
@@ -25,8 +25,27 @@ MAKE_ARGS=	CC="${CC}" \
 		LIBS="${LDFLAGS}" \
 		PREFIX="${PREFIX}" \
 		RPM_OPT_FLAGS="${CPPFLAGS}"
-CFLAGS+=	-Wall -Wno-unused-function -Wno-unused-parameter \
-		-Wno-unused-value -Wno-unused-variable
+CFLAGS+=	-Wall
+# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+# Note there are ${ARCH}-dependent options below after .include <bsd.port.pre.mk>
+CFLAGS+=	-O2 -Wall -Wformat -Wformat=2 \
+		-Werror=format-security \
+		-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
+		-fstrict-flex-arrays=3 \
+		-fstack-clash-protection -fstack-protector-strong \
+		-fno-delete-null-pointer-checks -fno-strict-overflow \
+		-fno-strict-aliasing -ftrivial-auto-var-init=zero
+LDFLAGS+=	-Wl,-z,nodlopen -Wl,-z,noexecstack \
+		-Wl,-z,relro -Wl,-z,now \
+		-Wl,--as-needed -Wl,--no-copy-dt-needed-entries
+CFLAGS+=	-fPIE
+LDFLAGS+=	-pie
+# error on obsolete C constructs
+CFLAGS+=	-Werror=implicit -Werror=incompatible-pointer-types \
+		-Werror=int-conversion
+# tune down harmless warnings due to coding style
+CFLAGS+=	-Wno-unused-function -Wno-unused-parameter \
+		-Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral
 CPPFLAGS+=	-I${LOCALBASE}/include
 
 CONFLICTS_INSTALL=	dnsmasq-devel
@@ -97,6 +116,17 @@ USE_RC_SUBR=	dnsmasq
 
 .include <bsd.port.pre.mk>
 
+# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+.if ${ARCH} == "amd64"
+CFLAGS+=	-fcf-protection=full
+.endif
+.if ${ARCH} == "aarch64"
+CFLAGS+=	-mbranch-protection=standard
+.endif
+.if ${CHOSEN_COMPILER_TYPE} == "gcc"
+CFLAGS+=	-Wtrampolines
+.endif
+
 LDFLAGS+=	-L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB}
 
 post-patch: