PIE/PIC support on base
Ian Lepore
ian at FreeBSD.org
Wed Oct 15 14:17:39 UTC 2014
On Wed, 2014-10-15 at 08:10 +0200, Baptiste Daroussin wrote:
> On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote:
> > Hi all,
> >
> > HardenedBSD plans to add PIE support on base in various place.
> >
> > These are B. Drewery suggestions :
> >
> > The _pic ones are not needed. The main lib file just needs
> > INSTALL_PIC_ARCHIVE=yes.
> >
> > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or
> > something to pull in common logic from share/mk.
> >
> > Also I know that, at least for a start, it wished to be applied in some few
> > places, like tcpdump/traceroute, sendmail ... shells ... I thought about
> > also casper/capsicum ... ntp ... jail
> >
> What would probably be interesting is to list binary by binary on which one you
> do want to add the USE_PIE, and with rational explaining why.
>
> On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I
> think cherry-picking what should be PIE is the right
>
> regards,
> Bapt
As long as there's some sort of global knob that says "I want to opt out
of this completely regardless of finer-grained controls to the contrary
in other makefiles."
-- Ian
More information about the freebsd-arch
mailing list