Re: Updated patch for pkgsrc hardening

[Jonathan Perkin <jperkin%joyent.com@localhost>]

* On 2016-03-01 at 00:03 GMT, Pierre Pronchery wrote:

> Please let me know if I can apply part (or all) of this patch into
> pkgsrc directly. The defaults can be changed obviously, particularly so
> in the case of PKGSRC_MKPIE as many packages are still expected to fail
> building with this set.

For me there's too much hard-coding for NetBSD here, and too much
logic in the platform file.  If you ever want to extend the support to
other platforms then there is a large amount of code that needs to be
duplicated across each platform/*.mk file.

The best way to architect this kind of stuff is:

  * Set a flag in each mk/platform/*.mk file which tells pkgsrc
    whether that platform supports a particular feature, using
    MACHINE_ARCH or whatever if only certain architectures or releases
    for that platform support the feature.

  * Combine the platform-specific flag with a user/default prefs
    variable to decide whether the feature should be enabled.

  * Have logic in each mk/compiler/*.mk which sets the appropriate
    compiler flag if the feature is enabled.

At the moment there are quite a few violations of this design, e.g.
there is compiler logic and user prefs in the platform file.

As an (untested) example of what I'd do:

  * mk/platform/NetBSD.mk

    _OPSYS_SUPPORTS_FORT=	yes
    .if ${MACHINE_ARCH} != "alpha" && ...
    _OPSYS_SUPPORTS_SSP=	yes
    .endif

  * mk/defaults/mk.conf

    PKGSRC_USE_FORT?=	yes
    PKGSRC_USE_SSP?=	yes

  * mk/bsd.prefs.mk

    # after defaults/mk.conf and platform/*.mk have been loaded
    _PKGSRC_USE_FORT=	no
    _PKGSRC_USE_SSP=	no
    .if ${PKGSRC_USE_FORT:tl} == "yes" && ${_OPSYS_SUPPORTS_FORT:Uno} == "yes"
    _PKGSRC_USE_FORT=	yes
    .endif
    .if ${PKGSRC_USE_SSP:tl} == "yes" && ${_OPSYS_SUPPORTS_SSP:Uno} == "yes"
    _PKGSRC_USE_SSP=	yes
    .endif

  * mk/compiler/gcc.mk

    .if ${_PKGSRC_USE_FORT} == "yes"
    _GCC_CFLAGS+=	-D_FORTIFY_SOURCE=2
    .endif
    .if ${_PKGSRC_USE_SSP} == "yes"
    _GCC_CFLAGS+=	-fstack-protector
    .endif

This way there's a clear separation between platform, user, and
compiler settings, and all I need to do to add support for Fortify to
OpenBSD is add a single line to mk/platform/OpenBSD.mk:

    _OPSYS_SUPPORTS_FORT=	yes

and if we want to support clang we don't need to duplicate a bunch of
logic in every mk/platform/*.mk file, we just add the necessary:

    .if ${_PKGSRC_USE_FORT} == "yes"
    CWRAPPERS_APPEND.cc+=	-fenable-fortify
    .endif

or whatever logic to mk/compiler/clang.mk

I also share Greg's concerns about the lack of cwrapper support.  I've
personally not used the legacy wrappers for any of my platforms in
over a year now.

Thanks for working on this.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com