[pkgsrc/trunk]: pkgsrc/mk Describe some of the security mitigation flags and ...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/mk Describe some of the security mitigation flags and ...
From: maya <maya%pkgsrc.org@localhost>
Date: Wed, 15 Jan 2020 09:23:24 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/7c67826543ad
branches:  trunk
changeset: 380867:7c67826543ad
user:      maya <maya%pkgsrc.org@localhost>
date:      Wed May 23 11:26:54 2018 +0000

description:
Describe some of the security mitigation flags and their impact

diffstat:

 mk/bsd.prefs.mk |  26 +++++++++++++++++++++++++-
 1 files changed, 25 insertions(+), 1 deletions(-)

diffs (75 lines):

diff -r 8c13e9acf4fe -r 7c67826543ad mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk   Wed May 23 10:59:08 2018 +0000
+++ b/mk/bsd.prefs.mk   Wed May 23 11:26:54 2018 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.396 2018/01/15 09:35:45 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.397 2018/05/23 11:26:54 maya Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -699,6 +699,10 @@
 _BUILD_DEFS+=          INIT_SYSTEM
 .endif
 
+# Build Position Independent Executables if supported
+# Allows the security mitigation of ASLR to be used.
+# Impact: very small performance drop.
+#
 _PKGSRC_MKPIE= no
 .if ${PKGSRC_MKPIE:tl} == "yes" && \
     ${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \
@@ -706,6 +710,9 @@
 _PKGSRC_MKPIE= yes
 .endif
 
+# Enable reproducible build flags
+# Adjusts debug symbols to omit workdir references
+#
 _PKGSRC_MKREPRO=       no
 .if ${PKGSRC_MKREPRO:tl} == "yes" && \
     ${MKREPRO_SUPPORTED:Uyes:tl} == "yes" && \
@@ -713,6 +720,10 @@
 _PKGSRC_MKREPRO=       yes
 .endif
 
+# Enable FORTIFY
+# Security mitigation: compile and run-time checks for buffer overflows.
+# Impact: performance drop
+#
 _PKGSRC_USE_FORTIFY=   no
 .if ${PKGSRC_USE_FORTIFY:tl} != "no" && \
     ${FORTIFY_SUPPORTED:Uyes:tl} == "yes" && \
@@ -720,6 +731,10 @@
 _PKGSRC_USE_FORTIFY=   yes
 .endif
 
+# Use read-only relocations
+# Security mitigation: some ELF sections are mapped read-only.
+# Impact: increases program startup time as it disables lazy-binding
+#
 _PKGSRC_USE_RELRO=     no
 .if ${PKGSRC_USE_RELRO:tl} != "no" && \
     ${RELRO_SUPPORTED:Uyes:tl} == "yes" && \
@@ -727,6 +742,11 @@
 _PKGSRC_USE_RELRO=     yes
 .endif
 
+# Enable Stack-Smashing Protection
+# Security mitigation: add and check canaries on the stack at runtime
+# to find buffer overruns.
+# Impact: performance drop
+#
 _PKGSRC_USE_SSP=       no
 .if ${PKGSRC_USE_SSP:tl} != "no" && \
     ${SSP_SUPPORTED:Uyes:tl} == "yes" && \
@@ -734,6 +754,10 @@
 _PKGSRC_USE_SSP=       yes
 .endif
 
+# Enable stack check
+# Generate code to ensure we don't exceed our given stack.
+# Impact: performance drop
+#
 _PKGSRC_USE_STACK_CHECK=no
 .if ${PKGSRC_USE_STACK_CHECK:tl} != "no" && \
     ${STACK_CHECK_SUPPORTED:Uyes:tl} == "yes" && \

Prev by Date: [pkgsrc/trunk]: pkgsrc/devel/libexecinfo libexecinfo: fix invalid homepage.
Next by Date: [pkgsrc/trunk]: pkgsrc/devel/py-flakes devel/py-flakes: Add ALTERNATIVES
Previous by Thread: [pkgsrc/trunk]: pkgsrc/devel/libexecinfo libexecinfo: fix invalid homepage.
Next by Thread: [pkgsrc/trunk]: pkgsrc/devel/py-flakes devel/py-flakes: Add ALTERNATIVES
Indexes:

Home | Main Index | Thread Index | Old Index