svn commit: r344179 - in head: kerberos5/tools/asn1_compile kerberos5/tools/slc lib/clang libexec/rtld-elf share/mk stand/i386 tools/build/options usr.bin/clang usr.bin/svn

Ed Maste emaste at FreeBSD.org
Fri Feb 15 22:22:42 UTC 2019


Author: emaste
Date: Fri Feb 15 22:22:38 2019
New Revision: 344179
URL: https://svnweb.freebsd.org/changeset/base/344179

Log:
  Add WITH_PIE knob to build Position Independent Executables
  
  Building binaries as PIE allows the executable itself to be loaded at a
  random address when ASLR is enabled (not just its shared libraries).
  
  With this change PIE objects have a .pieo extension and INTERNALLIB
  libraries libXXX_pie.a.
  
  MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as
  they explicitly reference .a libraries in their Makefiles.  These can
  be addressed on an individual basis later.  MK_PIE is also disabled for
  rtld-elf because it is already position-independent using bespoke
  Makefile rules.
  
  Currently only dynamically linked binaries will be built as PIE.
  
  Discussed with:	dim
  Reviewed by:	kib
  MFC after:	1 month
  Relnotes:	Yes
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D18423

Added:
  head/tools/build/options/WITHOUT_PIE   (contents, props changed)
  head/tools/build/options/WITH_PIE   (contents, props changed)
Modified:
  head/kerberos5/tools/asn1_compile/Makefile
  head/kerberos5/tools/slc/Makefile
  head/lib/clang/Makefile.inc
  head/libexec/rtld-elf/Makefile
  head/share/mk/bsd.lib.mk
  head/share/mk/bsd.opts.mk
  head/share/mk/bsd.prog.mk
  head/share/mk/src.libnames.mk
  head/stand/i386/Makefile.inc
  head/usr.bin/clang/Makefile.inc
  head/usr.bin/svn/Makefile.inc

Modified: head/kerberos5/tools/asn1_compile/Makefile
==============================================================================
--- head/kerberos5/tools/asn1_compile/Makefile	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/kerberos5/tools/asn1_compile/Makefile	Fri Feb 15 22:22:38 2019	(r344179)
@@ -6,6 +6,7 @@ LIBROKEN_A=	${.OBJDIR:H:H}/lib/libroken/libroken.a
 LIBADD=	vers
 LDADD=	${LIBROKEN_A}
 DPADD=	${LIBROKEN_A}
+MK_PIE:=	no
 
 SRCS=	\
 	asn1parse.y \

Modified: head/kerberos5/tools/slc/Makefile
==============================================================================
--- head/kerberos5/tools/slc/Makefile	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/kerberos5/tools/slc/Makefile	Fri Feb 15 22:22:38 2019	(r344179)
@@ -6,6 +6,7 @@ LIBADD=	vers
 LDADD=  ${LIBROKEN_A}
 DPADD=  ${LIBROKEN_A}
 MAN=
+MK_PIE:=	no
 
 SRCS=	roken.h \
 	slc-gram.y \

Modified: head/lib/clang/Makefile.inc
==============================================================================
--- head/lib/clang/Makefile.inc	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/lib/clang/Makefile.inc	Fri Feb 15 22:22:38 2019	(r344179)
@@ -2,6 +2,8 @@
 
 .include <bsd.compiler.mk>
 
+MK_PIE:=	no	# Explicit libXXX.a references
+
 .if ${COMPILER_TYPE} == "clang"
 DEBUG_FILES_CFLAGS= -gline-tables-only
 .else

Modified: head/libexec/rtld-elf/Makefile
==============================================================================
--- head/libexec/rtld-elf/Makefile	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/libexec/rtld-elf/Makefile	Fri Feb 15 22:22:38 2019	(r344179)
@@ -7,6 +7,7 @@
 .include <src.opts.mk>
 PACKAGE=	clibs
 MK_BIND_NOW=	no
+MK_PIE=		no # Always position independent using local rules
 MK_SSP=		no
 
 CONFS=		libmap.conf

Modified: head/share/mk/bsd.lib.mk
==============================================================================
--- head/share/mk/bsd.lib.mk	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/share/mk/bsd.lib.mk	Fri Feb 15 22:22:38 2019	(r344179)
@@ -91,13 +91,16 @@ CTFFLAGS+= -g
 # prefer .s to a .c, add .po, remove stuff not used in the BSD libraries
 # .pico used for PIC object files
 # .nossppico used for NOSSP PIC object files
-.SUFFIXES: .out .o .bc .ll .po .pico .nossppico .S .asm .s .c .cc .cpp .cxx .C .f .y .l .ln
+# .pieo used for PIE object files
+.SUFFIXES: .out .o .bc .ll .po .pico .nossppico .pieo .S .asm .s .c .cc .cpp .cxx .C .f .y .l .ln
 
 .if !defined(PICFLAG)
 .if ${MACHINE_CPUARCH} == "sparc64"
 PICFLAG=-fPIC
+PIEFLAG=-fPIE
 .else
 PICFLAG=-fpic
+PIEFLAG=-fpie
 .endif
 .endif
 
@@ -115,6 +118,10 @@ PO_FLAG=-pg
 	${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//} ${CFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
+.c.pieo:
+	${CC} ${PIEFLAG} -DPIC ${SHARED_CFLAGS} ${CFLAGS} -c ${.IMPSRC} -o ${.TARGET}
+	${CTFCONVERT_CMD}
+
 .cc.po .C.po .cpp.po .cxx.po:
 	${CXX} ${PO_FLAG} ${STATIC_CXXFLAGS} ${PO_CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
 
@@ -124,6 +131,9 @@ PO_FLAG=-pg
 .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico:
 	${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET}
 
+.cc.pieo .C.pieo .cpp.pieo .cxx.pieo:
+	${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
+
 .f.po:
 	${FC} -pg ${FFLAGS} -o ${.TARGET} -c ${.IMPSRC}
 	${CTFCONVERT_CMD}
@@ -136,7 +146,7 @@ PO_FLAG=-pg
 	${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC}
 	${CTFCONVERT_CMD}
 
-.s.po .s.pico .s.nossppico:
+.s.po .s.pico .s.nossppico .s.pieo:
 	${AS} ${AFLAGS} -o ${.TARGET} ${.IMPSRC}
 	${CTFCONVERT_CMD}
 
@@ -155,6 +165,11 @@ PO_FLAG=-pg
 	    ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
+.asm.pieo:
+	${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PIEFLAG} -DPIC \
+	    ${CFLAGS} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
+	${CTFCONVERT_CMD}
+
 .S.po:
 	${CC:N${CCACHE_BIN}} -DPROF ${PO_CFLAGS} ${ACFLAGS} -c ${.IMPSRC} \
 	    -o ${.TARGET}
@@ -170,6 +185,11 @@ PO_FLAG=-pg
 	    -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
+.S.pieo:
+	${CC:N${CCACHE_BIN}} ${PIEFLAG} -DPIC ${CFLAGS} ${ACFLAGS} \
+	    -c ${.IMPSRC} -o ${.TARGET}
+	${CTFCONVERT_CMD}
+
 _LIBDIR:=${LIBDIR}
 _SHLIBDIR:=${SHLIBDIR}
 
@@ -333,6 +353,20 @@ lib${LIB_PRIVATE}${LIB}_nossp_pic.a: ${NOSSPSOBJS}
 .endif
 
 .endif # !defined(INTERNALLIB)
+
+.if defined(INTERNALLIB) && ${MK_PIE} != "no"
+PIEOBJS+=	${OBJS:.o=.pieo}
+DEPENDOBJS+=	${PIEOBJS}
+CLEANFILES+=	${PIEOBJS}
+
+_LIBS+=		lib${LIB_PRIVATE}${LIB}_pie.a
+
+lib${LIB_PRIVATE}${LIB}_pie.a: ${PIEOBJS}
+	@${ECHO} building pie ${LIB} library
+	@rm -f ${.TARGET}
+	${AR} ${ARFLAGS} ${.TARGET} ${PIEOBJS} ${ARADD}
+	${RANLIB} ${RANLIBFLAGS} ${.TARGET}
+.endif
 
 .if defined(_SKIP_BUILD)
 all:

Modified: head/share/mk/bsd.opts.mk
==============================================================================
--- head/share/mk/bsd.opts.mk	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/share/mk/bsd.opts.mk	Fri Feb 15 22:22:38 2019	(r344179)
@@ -73,6 +73,7 @@ __DEFAULT_NO_OPTIONS = \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
+    PIE \
     RETPOLINE \
     STALE_STAGED
 

Modified: head/share/mk/bsd.prog.mk
==============================================================================
--- head/share/mk/bsd.prog.mk	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/share/mk/bsd.prog.mk	Fri Feb 15 22:22:38 2019	(r344179)
@@ -38,6 +38,12 @@ MK_DEBUG_FILES=	no
 .if ${MK_BIND_NOW} != "no"
 LDFLAGS+= -Wl,-znow
 .endif
+.if ${MK_PIE} != "no" && \
+    !defined(NO_SHARED) || ${NO_SHARED} == "no" || ${NO_SHARED} == "NO"
+CFLAGS+= -fPIE
+CXXFLAGS+= -fPIE
+LDFLAGS+= -pie
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline

Modified: head/share/mk/src.libnames.mk
==============================================================================
--- head/share/mk/src.libnames.mk	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/share/mk/src.libnames.mk	Fri Feb 15 22:22:38 2019	(r344179)
@@ -368,6 +368,10 @@ LDADD_atf_cxx=	-lprivateatf-c++
 LIB${_l:tu}?=	${LIBDESTDIR}${LIBDIR_BASE}/libprivate${_l}.a
 .endfor
 
+.if ${MK_PIE} != "no"
+PIE_SUFFIX=	_pie
+.endif
+
 .for _l in ${_LIBRARIES}
 .if ${_INTERNALLIBS:M${_l}} || !defined(SYSROOT)
 LDADD_${_l}_L+=		-L${LIB${_l:tu}DIR}
@@ -375,6 +379,8 @@ LDADD_${_l}_L+=		-L${LIB${_l:tu}DIR}
 DPADD_${_l}?=	${LIB${_l:tu}}
 .if ${_PRIVATELIBS:M${_l}}
 LDADD_${_l}?=	-lprivate${_l}
+.elif ${_INTERNALLIBS:M${_l}}
+LDADD_${_l}?=	${LDADD_${_l}_L} -l${_l:S/${PIE_SUFFIX}//}${PIE_SUFFIX}
 .else
 LDADD_${_l}?=	${LDADD_${_l}_L} -l${_l}
 .endif
@@ -418,69 +424,69 @@ LDADD+=		${LDADD_${_l}}
 
 # INTERNALLIB definitions.
 LIBELFTCDIR=	${OBJTOP}/lib/libelftc
-LIBELFTC?=	${LIBELFTCDIR}/libelftc.a
+LIBELFTC?=	${LIBELFTCDIR}/libelftc${PIE_SUFFIX}.a
 
 LIBPEDIR=	${OBJTOP}/lib/libpe
-LIBPE?=		${LIBPEDIR}/libpe.a
+LIBPE?=		${LIBPEDIR}/libpe${PIE_SUFFIX}.a
 
 LIBOPENBSDDIR=	${OBJTOP}/lib/libopenbsd
-LIBOPENBSD?=	${LIBOPENBSDDIR}/libopenbsd.a
+LIBOPENBSD?=	${LIBOPENBSDDIR}/libopenbsd${PIE_SUFFIX}.a
 
 LIBSMDIR=	${OBJTOP}/lib/libsm
-LIBSM?=		${LIBSMDIR}/libsm.a
+LIBSM?=		${LIBSMDIR}/libsm${PIE_SUFFIX}.a
 
 LIBSMDBDIR=	${OBJTOP}/lib/libsmdb
-LIBSMDB?=	${LIBSMDBDIR}/libsmdb.a
+LIBSMDB?=	${LIBSMDBDIR}/libsmdb${PIE_SUFFIX}.a
 
 LIBSMUTILDIR=	${OBJTOP}/lib/libsmutil
-LIBSMUTIL?=	${LIBSMUTILDIR}/libsmutil.a
+LIBSMUTIL?=	${LIBSMUTILDIR}/libsmutil${PIE_SUFFIX}.a
 
 LIBNETBSDDIR?=	${OBJTOP}/lib/libnetbsd
-LIBNETBSD?=	${LIBNETBSDDIR}/libnetbsd.a
+LIBNETBSD?=	${LIBNETBSDDIR}/libnetbsd${PIE_SUFFIX}.a
 
 LIBVERSDIR?=	${OBJTOP}/kerberos5/lib/libvers
-LIBVERS?=	${LIBVERSDIR}/libvers.a
+LIBVERS?=	${LIBVERSDIR}/libvers${PIE_SUFFIX}.a
 
 LIBSLDIR=	${OBJTOP}/kerberos5/lib/libsl
-LIBSL?=		${LIBSLDIR}/libsl.a
+LIBSL?=		${LIBSLDIR}/libsl${PIE_SUFFIX}.a
 
 LIBIPFDIR=	${OBJTOP}/sbin/ipf/libipf
-LIBIPF?=	${LIBIPFDIR}/libipf.a
+LIBIPF?=	${LIBIPFDIR}/libipf${PIE_SUFFIX}.a
 
 LIBTELNETDIR=	${OBJTOP}/lib/libtelnet
-LIBTELNET?=	${LIBTELNETDIR}/libtelnet.a
+LIBTELNET?=	${LIBTELNETDIR}/libtelnet${PIE_SUFFIX}.a
 
 LIBCRONDIR=	${OBJTOP}/usr.sbin/cron/lib
-LIBCRON?=	${LIBCRONDIR}/libcron.a
+LIBCRON?=	${LIBCRONDIR}/libcron${PIE_SUFFIX}.a
 
 LIBNTPDIR=	${OBJTOP}/usr.sbin/ntp/libntp
-LIBNTP?=	${LIBNTPDIR}/libntp.a
+LIBNTP?=	${LIBNTPDIR}/libntp${PIE_SUFFIX}.a
 
 LIBNTPEVENTDIR=	${OBJTOP}/usr.sbin/ntp/libntpevent
-LIBNTPEVENT?=	${LIBNTPEVENTDIR}/libntpevent.a
+LIBNTPEVENT?=	${LIBNTPEVENTDIR}/libntpevent${PIE_SUFFIX}.a
 
 LIBOPTSDIR=	${OBJTOP}/usr.sbin/ntp/libopts
-LIBOPTS?=	${LIBOPTSDIR}/libopts.a
+LIBOPTS?=	${LIBOPTSDIR}/libopts${PIE_SUFFIX}.a
 
 LIBPARSEDIR=	${OBJTOP}/usr.sbin/ntp/libparse
-LIBPARSE?=	${LIBPARSEDIR}/libparse.a
+LIBPARSE?=	${LIBPARSEDIR}/libparse${PIE_SUFFIX}.a
 
 LIBLPRDIR=	${OBJTOP}/usr.sbin/lpr/common_source
-LIBLPR?=	${LIBLPRDIR}/liblpr.a
+LIBLPR?=	${LIBLPRDIR}/liblpr${PIE_SUFFIX}.a
 
 LIBFIFOLOGDIR=	${OBJTOP}/usr.sbin/fifolog/lib
-LIBFIFOLOG?=	${LIBFIFOLOGDIR}/libfifolog.a
+LIBFIFOLOG?=	${LIBFIFOLOGDIR}/libfifolog${PIE_SUFFIX}.a
 
 LIBBSNMPTOOLSDIR=	${OBJTOP}/usr.sbin/bsnmpd/tools/libbsnmptools
-LIBBSNMPTOOLS?=	${LIBBSNMPTOOLSDIR}/libbsnmptools.a
+LIBBSNMPTOOLS?=	${LIBBSNMPTOOLSDIR}/libbsnmptools${PIE_SUFFIX}.a
 
 LIBAMUDIR=	${OBJTOP}/usr.sbin/amd/libamu
-LIBAMU?=	${LIBAMUDIR}/libamu.a
+LIBAMU?=	${LIBAMUDIR}/libamu${PIE_SUFFIX}.a
 
-LIBBE?=		${LIBBEDIR}/libbe.a
+LIBBE?=		${LIBBEDIR}/libbe${PIE_SUFFIX}.a
 
 LIBPMCSTATDIR=	${OBJTOP}/lib/libpmcstat
-LIBPMCSTAT?=	${LIBPMCSTATDIR}/libpmcstat.a
+LIBPMCSTAT?=	${LIBPMCSTATDIR}/libpmcstat${PIE_SUFFIX}.a
 
 LIBC_NOSSP_PICDIR=	${OBJTOP}/lib/libc
 LIBC_NOSSP_PIC?=	${LIBC_NOSSP_PICDIR}/libc_nossp_pic.a

Modified: head/stand/i386/Makefile.inc
==============================================================================
--- head/stand/i386/Makefile.inc	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/stand/i386/Makefile.inc	Fri Feb 15 22:22:38 2019	(r344179)
@@ -7,6 +7,7 @@
 LOADER_ADDRESS?=0x200000
 LDFLAGS+=	-nostdlib
 LDFLAGS.lld+=	-Wl,--no-rosegment
+MK_PIE:=	no
 
 # BTX components
 BTXDIR=		${BOOTOBJ}/i386/btx

Added: head/tools/build/options/WITHOUT_PIE
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tools/build/options/WITHOUT_PIE	Fri Feb 15 22:22:38 2019	(r344179)
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Do not build dynamically linked binaries as
+Position-Independent Executable (PIE).

Added: head/tools/build/options/WITH_PIE
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tools/build/options/WITH_PIE	Fri Feb 15 22:22:38 2019	(r344179)
@@ -0,0 +1,3 @@
+.\" $FreeBSD$
+Build dynamically linked binaries as
+Position-Independent Executable (PIE).

Modified: head/usr.bin/clang/Makefile.inc
==============================================================================
--- head/usr.bin/clang/Makefile.inc	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/usr.bin/clang/Makefile.inc	Fri Feb 15 22:22:38 2019	(r344179)
@@ -4,6 +4,8 @@ WARNS?=		0
 
 .include <bsd.compiler.mk>
 
+MK_PIE:=	no	# Explicit libXXX.a references
+
 .if ${COMPILER_TYPE} == "clang"
 DEBUG_FILES_CFLAGS= -gline-tables-only
 .else

Modified: head/usr.bin/svn/Makefile.inc
==============================================================================
--- head/usr.bin/svn/Makefile.inc	Fri Feb 15 21:50:45 2019	(r344178)
+++ head/usr.bin/svn/Makefile.inc	Fri Feb 15 22:22:38 2019	(r344179)
@@ -2,6 +2,8 @@
 
 .include <src.opts.mk>
 
+MK_PIE:=	no	# Explicit libXXX.a references
+
 .if ${MK_SVN} == "yes"
 SVNLITE?=
 .else


More information about the svn-src-all mailing list