Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

			So,

On 07/18/15 18:38, Pierre Pronchery wrote:
> while looking for ways to provide binary packages for EdgeBSD users in
> line with the current state of the art, I found that there are some
> low-hanging fruits up for grabs:
> http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=705b8
> 40d59ecd6834320c15d12ecdf38e133c0d7
> 
> 1. Building with stack smashing protection: (SSP)
> [...]
> Let me know if any of those look good enough for NetBSD's base system,
> or if they can already be discussed there as well.

Now that we agree to disagree, I have prepared this part for
integration. Please review and let me know if I can push it in pkgsrc.
It adds support for SSP, when enabled in mk.conf(5) with USE_SSP=yes. It
is otherwise disabled by default.

It can also be found there:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=aca6ef1c664499f98aa3df018a03f30ff728aea6

I will maintain it on this branch:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=shortlog;h=refs/heads/integration/ssp

Cheers,
-- 
khorben

commit aca6ef1c664499f98aa3df018a03f30ff728aea6
Author: Pierre Pronchery <khorben%defora.org@localhost>
Date:   Thu Jul 16 20:30:47 2015 +0200

    Add support for compiling with stack-smashing protection
    
    This is enabled with USE_SSP in mk.conf(5), like for NetBSD's base
    system.

diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index eb7b925..04c2211 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -67,7 +67,7 @@ _DEF_VARS.gcc=	\
 	PKG_CC PKG_CPP PKG_CXX PKG_FC \
 	PKG_ADA PKG_GMK PKG_GLK PKG_GDB PKG_CHP PKG_GLK PKG_GNT PKG_PRP \
 	_CC _COMPILER_RPATH_FLAG _COMPILER_STRIP_VARS \
-	_GCCBINDIR _GCC_ARCHDIR _GCC_BIN_PREFIX _GCC_CC \
+	_GCCBINDIR _GCC_ARCHDIR _GCC_BIN_PREFIX _GCC_CC _GCC_CFLAGS \
 	_GCC_CPP _GCC_CXX _GCC_DEPENDENCY _GCC_DEPENDS \
 	_GCC_FC _GCC_LDFLAGS _GCC_LIBDIRS _GCC_PKG \
 	_GCC_PKGBASE _GCC_PKGSRCDIR _GCC_PKG_SATISFIES_DEP \
@@ -336,6 +336,8 @@ CWRAPPERS_APPEND.cc+=	-std=gnu99
 CFLAGS+=	-Wno-import
 .endif
 
+CFLAGS+=	${_GCC_CFLAGS}
+
 .if !empty(_NEED_GCC2:M[yY][eE][sS])
 #
 # We require gcc-2.x in the lang/gcc directory.
@@ -678,7 +680,6 @@ _GCC_LDFLAGS=	# empty
 .  for _dir_ in ${_GCC_LIBDIRS:N*not_found*}
 _GCC_LDFLAGS+=	-L${_dir_} ${COMPILER_RPATH_FLAG}${_dir_}
 .  endfor
-LDFLAGS+=	${_GCC_LDFLAGS}
 .endif
 
 # Point the variables that specify the compiler to the installed
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 52ddc1b..dc10d69 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1640,6 +1640,11 @@ USE_CRYPTO?=	YES
 # Possible: YES, or NO.
 # Default: YES
 
+USE_SSP?= no
+# Set this to YES to enable stack-smashing protection (on supported platforms).
+# Possible: yes, no
+# Default: no
+
 USERPPP_GROUP?=	network
 # Used in the userppp package to specify the default group.
 # Possible: any group name
diff --git a/mk/platform/NetBSD.mk b/mk/platform/NetBSD.mk
index 91940de..0f421bc 100644
--- a/mk/platform/NetBSD.mk
+++ b/mk/platform/NetBSD.mk
@@ -133,6 +133,16 @@ FFLAGS+=	-mieee
 PKG_HAVE_KQUEUE=	# defined
 .endif
 
+.if (${MACHINE_ARCH} != "alpha") && \
+	(${MACHINE_ARCH} != "hppa") && \
+	(${MACHINE_ARCH} != "ia64") && \
+	(${MACHINE_ARCH} != "mips")
+. if ${USE_SSP:Uno} != "no"
+# build with stack protection (with GCC)
+_GCC_CFLAGS+=	-fstack-protector
+. endif
+.endif
+
 _OPSYS_CAN_CHECK_SHLIBS=	yes # use readelf in check/bsd.check-vars.mk
 
 # check for maximum command line length and set it in configure's environment,