[CFdiscussion] ports and FORTIFY_SOURCE

Pedro Giffuni pfg at FreeBSD.org
Mon Aug 31 18:37:28 UTC 2015

Dear ports developers;

This year I mentored Oliver Pinter's GSoC project [1] to port
FORTIFY_SOURCE to FreeBSD. The project was more complex than we
thought initially but it was successful.

For those of you that haven't heard of it, it's a trick supported by 
libc to enable bounds-checking on common string and memory functions.
The code has gone through extensive testing with both clang and the
base gcc. It should work fine with newer gcc but it is untested there.

To activate it you will just need to add -D_FORTIFY_SOURCE=1 (or 2) in
the CFLAGS and that will transparently add the extra checks. The code
is non invasive but some ports (firefox, emacs) actually choose to run
with this flag on by default and an exp-run found some errors in those

There are currently two remaining PRs with patches for mail/ifile 
(202572) and net-p2p/namecoin (2012603), getting those committed soon
would avoid traumas in the ports tree once FORTIFY_SOURCE is committed.

In the future it would be nice to support a flag within ports to enable
or disable this extra flag for specific ports. I am unsure exactly how
to do it, it could be something as simple as

or as complex as
USES= 	compiler:fortify=0
(0 disables it, 1 is standard for clang. 2 is standard for gcc)

I plan to bring this code to FreeBSD-11 only. I am unsure exactly when
the code will be brought in though. At this time, I am just giving more
time for reviewers [2] but I thought I'd give some more space for
feedback from the ports as well since they will see the greatest
benefits from this framework.





More information about the freebsd-ports mailing list