HBSD: Hook bsd.hardening.mk globally into the ports framework.

This introduces PIE, RELRO, and BIND_NOW into the whole ports
framework. A good portion of ports should work with PIE, RELRO, and
BIND_NOW. In those cases where ports won't compile or run with PIE,
check for NOPIE. In those cases where ports won't compile or run with
RELRO + BIND_NOW, check for NORELRO.

PIE and RELRO + BIND_NOW are disabled by default for ports that have
either kmod or fortran USES flags. Kernel modules cannot be compiled
with PIE, RELRO, and BIND_NOW. More research is needed for the fortran
ports.

If PIE is disabled by default for a port, but the port maintainer
wants to force PIE to be enabled by default, the port maintainer can
set EXPLICIT_PIE. Same logic for RELRO + BIND_NOW, but with
EXPLICIT_RELRO.

A follow-up commit will be made to explicitly disable PIE or RELRO +
BIND_NOW for a number of ports. Out of roughly 26,000 ports, only
around 400 failed to compile due to PIE or RELRO + BIND_NOW.

Given that there's over 26,100 ports in the tree, HardenedBSD will
need to rely on its ever-growing community for runtime testing. Simply
compiling an application does not mean that the application will run
successfully. As an example, xorg will compile fine with RELRO +
BIND_NOW, but due to how it integrates with modules during runtime, it
will break. xorg still runs fine with PIE, however.

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

Mk/bsd.hardening.mk

@@ -2,6 +2,9 @@
 #
 # HardenedBSD-related ports options
 
+.if !defined(__BSD_PORT_HARDENING_MK)
+__BSD_PORT_HARDENING_MK=1
+
 ####################################################
 ### Position-Idependent Executable (PIE) support ###
 ####################################################
@@ -10,6 +13,30 @@ OPTIONS_DEFINE+=	PIE
 PIE_DESC=		Build as PIE
 PIE_USES=		pie
 
+# Do not enable PIE for libraries or kernel module ports. However,
+# provide a way for still enabling PIE if desired by the port's
+# maintainer by allowing them to define EXPLICIT_PIE.
+#
+# It's possible that keying off lib* as the port's name could
+# introduce false positives. Hence even more reason to have
+# EXPLICIT_PIE.
+.if defined(PORTNAME)
+.if !defined(EXPLICIT_PIE)
+.if ${PORTNAME:Mlib*} || ${PORTNAME:M*kmod*} || \
+	(defined(PKGNAMESUFFIX) && (${PKGNAMESUFFIX:Mlib*}))
+NOPIE=	yes
+.endif
+.endif
+.endif
+
+.if defined(USES)
+.for _USES in ${USES}
+.if ${_USES} == kmod || ${_USES} == fortran
+NOPIE=	yes
+.endif
+.endfor
+.endif
+
 .if !defined(NOPIE)
 OPTIONS_DEFAULT+=	PIE
 .endif
@@ -22,6 +49,25 @@ OPTIONS_DEFINE+=	RELRO
 RELRO_DESC=		Build with RELRO + BIND_NOW
 RELRO_USES=		relro
 
+# Same reasoning here with RELRO as with PIE.
+.if defined(PORTNAME)
+.if !defined(EXPLICIT_RELRO)
+.if ${PORTNAME:Mlib*} || ${PORTNAME:M*kmod*} || \
+	(defined(PKGNAMESUFFIX) && (${PKGNAMESUFFIX:Mlib*}))
+NORELRO=	yes
+.endif
+.endif
+.endif
+
+.if defined(USES)
+.for _USES in ${USES}
+.if ${_USES} == kmod || ${_USES} == fortran
+NORELRO=	yes
+.endif
+.endfor
+.endif
+
 .if !defined(NORELRO)
 OPTIONS_DEFAULT+=	RELRO
 .endif
+.endif # !__BSD_PORT_HARDENING_MK

Mk/bsd.options.mk

@@ -157,6 +157,8 @@
 .if !defined(OPTIONSMKINCLUDED)
 OPTIONSMKINCLUDED=	bsd.options.mk
 
+.include "bsd.hardening.mk"
+
 OPTIONS_NAME?=	${PKGORIGIN:S/\//_/}
 OPTIONS_FILE?=	${PORT_DBDIR}/${OPTIONS_NAME}/options
 

Mk/bsd.port.options.mk

@@ -18,6 +18,8 @@ OPTIONS_Include_MAINTAINER=		portmgr@FreeBSD.org
 USEOPTIONSMK=	yes
 INOPTIONSMK=	yes
 
+.include "bsd.hardening.mk"
+
 .include "bsd.port.mk"
 
 .undef INOPTIONSMK

Mk/bsd.port.pre.mk

@@ -2,6 +2,7 @@
 
 BEFOREPORTMK=	yes
 
+.include "bsd.hardening.mk"
 .include "bsd.port.mk"
 
 .undef BEFOREPORTMK