Please sign in to comment.
HBSD: Hook bsd.hardening.mk globally into the ports framework.
This introduces PIE, RELRO, and BIND_NOW into the whole ports framework. A good portion of ports should work with PIE, RELRO, and BIND_NOW. In those cases where ports won't compile or run with PIE, check for NOPIE. In those cases where ports won't compile or run with RELRO + BIND_NOW, check for NORELRO. PIE and RELRO + BIND_NOW are disabled by default for ports that have either kmod or fortran USES flags. Kernel modules cannot be compiled with PIE, RELRO, and BIND_NOW. More research is needed for the fortran ports. If PIE is disabled by default for a port, but the port maintainer wants to force PIE to be enabled by default, the port maintainer can set EXPLICIT_PIE. Same logic for RELRO + BIND_NOW, but with EXPLICIT_RELRO. A follow-up commit will be made to explicitly disable PIE or RELRO + BIND_NOW for a number of ports. Out of roughly 26,000 ports, only around 400 failed to compile due to PIE or RELRO + BIND_NOW. Given that there's over 26,100 ports in the tree, HardenedBSD will need to rely on its ever-growing community for runtime testing. Simply compiling an application does not mean that the application will run successfully. As an example, xorg will compile fine with RELRO + BIND_NOW, but due to how it integrates with modules during runtime, it will break. xorg still runs fine with PIE, however. Signed-off-by: Shawn Webb <email@example.com>
- Loading branch information...
Showing with 51 additions and 0 deletions.