git: cc0e861e232d - main - hardening: add relro and bind_now features

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Baptiste Daroussin <bapt_at_FreeBSD.org>
Date: Wed, 26 Oct 2022 08:34:46 UTC
The branch main has been updated by bapt:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cc0e861e232dbc725446c5ce43506e50005cbf30

commit cc0e861e232dbc725446c5ce43506e50005cbf30
Author:     Baptiste Daroussin <bapt@FreeBSD.org>
AuthorDate: 2022-10-26 08:27:08 +0000
Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
CommitDate: 2022-10-26 08:34:03 +0000

    hardening: add relro and bind_now features
    
    As usual with features, this can be activated/deactivated via
    WITH/WITHOUT_<feature>
    
    Each port can individually mark itself as not supporting the feature
    via <feature>_UNSAFE=
---
 Mk/Features/bind_now.mk | 10 ++++++++++
 Mk/Features/relro.mk    | 10 ++++++++++
 Mk/bsd.port.mk          |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk
new file mode 100644
index 000000000000..99361c487265
--- /dev/null
+++ b/Mk/Features/bind_now.mk
@@ -0,0 +1,10 @@
+# BIND_NOW Support
+
+.if !defined(_BIND_NOW_MK_INCLUDED)
+_BIND_NOW_MK_INCLUDED=	yes
+BIND_NOW_Include_MAINTAINER=	portmgr@FreeBSD.org
+
+.  if !defined(BIND_NOW_UNSAFE)
+LDFLAGS+=	-Wl,-znow
+.  endif
+.endif
diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk
new file mode 100644
index 000000000000..6ceb68d5d668
--- /dev/null
+++ b/Mk/Features/relro.mk
@@ -0,0 +1,10 @@
+# RELRO Support
+
+.if !defined(_RELRO_MK_INCLUDED)
+_RELRO_MK_INCLUDED=	yes
+RELRO_Include_MAINTAINER=	portmgr@FreeBSD.org
+
+.  if !defined(RELRO_UNSAFE)
+LDFLAGS+=	-Wl,-zrelro
+.  endif
+.endif
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
index 717a0efdee6f..1600ed176739 100644
--- a/Mk/bsd.port.mk
+++ b/Mk/bsd.port.mk
@@ -1017,7 +1017,7 @@ LC_ALL=		C
 # These need to be absolute since we don't know how deep in the ports
 # tree we are and thus can't go relative.  They can, of course, be overridden
 # by individual Makefiles or local system make configuration.
-_LIST_OF_WITH_FEATURES=	debug lto ssp pie
+_LIST_OF_WITH_FEATURES=	debug lto ssp pie relro bind_now
 _DEFAULT_WITH_FEATURES=	ssp
 PORTSDIR?=		/usr/ports
 LOCALBASE?=		/usr/local