CVS commit: pkgsrc/mk

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mk
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Wed, 23 May 2018 11:26:54 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Wed May 23 11:26:54 UTC 2018

Modified Files:
        pkgsrc/mk: bsd.prefs.mk

Log Message:
Describe some of the security mitigation flags and their impact


To generate a diff of this commit:
cvs rdiff -u -r1.396 -r1.397 pkgsrc/mk/bsd.prefs.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mk/bsd.prefs.mk
diff -u pkgsrc/mk/bsd.prefs.mk:1.396 pkgsrc/mk/bsd.prefs.mk:1.397
--- pkgsrc/mk/bsd.prefs.mk:1.396        Mon Jan 15 09:35:45 2018
+++ pkgsrc/mk/bsd.prefs.mk      Wed May 23 11:26:54 2018
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.396 2018/01/15 09:35:45 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.397 2018/05/23 11:26:54 maya Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -699,6 +699,10 @@ INIT_SYSTEM?=              rc.d
 _BUILD_DEFS+=          INIT_SYSTEM
 .endif
 
+# Build Position Independent Executables if supported
+# Allows the security mitigation of ASLR to be used.
+# Impact: very small performance drop.
+#
 _PKGSRC_MKPIE= no
 .if ${PKGSRC_MKPIE:tl} == "yes" && \
     ${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \
@@ -706,6 +710,9 @@ _PKGSRC_MKPIE=      no
 _PKGSRC_MKPIE= yes
 .endif
 
+# Enable reproducible build flags
+# Adjusts debug symbols to omit workdir references
+#
 _PKGSRC_MKREPRO=       no
 .if ${PKGSRC_MKREPRO:tl} == "yes" && \
     ${MKREPRO_SUPPORTED:Uyes:tl} == "yes" && \
@@ -713,6 +720,10 @@ _PKGSRC_MKREPRO=   no
 _PKGSRC_MKREPRO=       yes
 .endif
 
+# Enable FORTIFY
+# Security mitigation: compile and run-time checks for buffer overflows.
+# Impact: performance drop
+#
 _PKGSRC_USE_FORTIFY=   no
 .if ${PKGSRC_USE_FORTIFY:tl} != "no" && \
     ${FORTIFY_SUPPORTED:Uyes:tl} == "yes" && \
@@ -720,6 +731,10 @@ _PKGSRC_USE_FORTIFY=       no
 _PKGSRC_USE_FORTIFY=   yes
 .endif
 
+# Use read-only relocations
+# Security mitigation: some ELF sections are mapped read-only.
+# Impact: increases program startup time as it disables lazy-binding
+#
 _PKGSRC_USE_RELRO=     no
 .if ${PKGSRC_USE_RELRO:tl} != "no" && \
     ${RELRO_SUPPORTED:Uyes:tl} == "yes" && \
@@ -727,6 +742,11 @@ _PKGSRC_USE_RELRO= no
 _PKGSRC_USE_RELRO=     yes
 .endif
 
+# Enable Stack-Smashing Protection
+# Security mitigation: add and check canaries on the stack at runtime
+# to find buffer overruns.
+# Impact: performance drop
+#
 _PKGSRC_USE_SSP=       no
 .if ${PKGSRC_USE_SSP:tl} != "no" && \
     ${SSP_SUPPORTED:Uyes:tl} == "yes" && \
@@ -734,6 +754,10 @@ _PKGSRC_USE_SSP=   no
 _PKGSRC_USE_SSP=       yes
 .endif
 
+# Enable stack check
+# Generate code to ensure we don't exceed our given stack.
+# Impact: performance drop
+#
 _PKGSRC_USE_STACK_CHECK=no
 .if ${PKGSRC_USE_STACK_CHECK:tl} != "no" && \
     ${STACK_CHECK_SUPPORTED:Uyes:tl} == "yes" && \

Prev by Date: CVS commit: pkgsrc/www/py-test-httpbin
Next by Date: CVS commit: pkgsrc/devel/libexecinfo
Previous by Thread: CVS commit: pkgsrc/www/py-test-httpbin
Next by Thread: CVS commit: pkgsrc/devel/libexecinfo
Indexes:

Home | Main Index | Thread Index | Old Index