Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1465824402202530"
MIME-Version: 1.0
Date: Mon, 13 Jun 2016 13:26:42 +0000
From: "Jonathan Perkin" <jperkin@netbsd.org>
Subject: CVS commit: pkgsrc/mk
To: pkgsrc-changes@NetBSD.org
Reply-To: jperkin@netbsd.org
Message-Id: <20160613132642.807F4FBB5@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1465824402202530
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	jperkin
Date:		Mon Jun 13 13:26:42 UTC 2016

Modified Files:
	pkgsrc/mk: bsd.prefs.mk
	pkgsrc/mk/compiler: gcc.mk
	pkgsrc/mk/defaults: mk.conf

Log Message:
Change PKGSRC_USE_SSP to a quad option.  The options are now:

   "no"     Do not pass any stack protection flags (the default)
   "yes"    Pass -fstack-protector
   "strong" Pass -fstack-protector-strong
   "all"    Pass -fstack-protector-all

This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms.  Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.

While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.

Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.


To generate a diff of this commit:
cvs rdiff -u -r1.386 -r1.387 pkgsrc/mk/bsd.prefs.mk
cvs rdiff -u -r1.167 -r1.168 pkgsrc/mk/compiler/gcc.mk
cvs rdiff -u -r1.263 -r1.264 pkgsrc/mk/defaults/mk.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1465824402202530
Content-Disposition: inline
Content-Length: 3259
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/mk/bsd.prefs.mk
diff -u pkgsrc/mk/bsd.prefs.mk:1.386 pkgsrc/mk/bsd.prefs.mk:1.387
--- pkgsrc/mk/bsd.prefs.mk:1.386	Sun Apr 17 08:13:09 2016
+++ pkgsrc/mk/bsd.prefs.mk	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.386 2016/04/17 08:13:09 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.387 2016/06/13 13:26:42 jperkin Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -707,7 +707,7 @@ _PKGSRC_USE_RELRO=	yes
 .endif
 
 _PKGSRC_USE_SSP=	no
-.if (${PKGSRC_USE_SSP:tl} == "yes") && \
+.if (${PKGSRC_USE_SSP:tl} != "no") && \
     (${_OPSYS_SUPPORTS_SSP:Uno} == "yes")
 _PKGSRC_USE_SSP=	yes
 .endif

Index: pkgsrc/mk/compiler/gcc.mk
diff -u pkgsrc/mk/compiler/gcc.mk:1.167 pkgsrc/mk/compiler/gcc.mk:1.168
--- pkgsrc/mk/compiler/gcc.mk:1.167	Mon Apr 11 04:22:34 2016
+++ pkgsrc/mk/compiler/gcc.mk	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.167 2016/04/11 04:22:34 dbj Exp $
+# $NetBSD: gcc.mk,v 1.168 2016/06/13 13:26:42 jperkin Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -346,12 +346,10 @@ _MKPIE_CFLAGS.gcc=	-fPIC
 # XXX for libraries a sink wrapper around gcc is required and used instead
 #_MKPIE_LDFLAGS.gcc=	-pie
 _RELRO_LDFLAGS.gcc=	-Wl,-z,relro -Wl,-z,now
-_SSP_CFLAGS.gcc=	-fstack-protector-all
 .endif
 
 .if ${OPSYS} == "SunOS"
 _FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
-_SSP_CFLAGS.gcc=	-fstack-protector
 .endif
 
 .if ${_PKGSRC_MKPIE} == "yes"
@@ -372,9 +370,21 @@ _GCC_LDFLAGS+=		${_RELRO_LDFLAGS.gcc}
 CWRAPPERS_APPEND.ld+=	${_RELRO_LDFLAGS.gcc}
 .endif
  
+# The user can choose the level of stack smashing protection.
+.if ${PKGSRC_USE_SSP} == "all"
+_SSP_CFLAGS=		-fstack-protector-all
+.elif ${PKGSRC_USE_SSP} == "strong"
+_SSP_CFLAGS=		-fstack-protector-strong
+.else
+_SSP_CFLAGS=		-fstack-protector
+.endif
+
 .if ${_PKGSRC_USE_SSP} == "yes"
-_GCC_CFLAGS+=		${_SSP_CFLAGS.gcc}
-CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS.gcc}
+_WRAP_EXTRA_ARGS.CC+=	${_SSP_CFLAGS}
+_WRAP_EXTRA_ARGS.CXX+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cxx+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.f77+=	${_SSP_CFLAGS}
 .endif
 
 # GCC has this annoying behaviour where it advocates in a multi-line

Index: pkgsrc/mk/defaults/mk.conf
diff -u pkgsrc/mk/defaults/mk.conf:1.263 pkgsrc/mk/defaults/mk.conf:1.264
--- pkgsrc/mk/defaults/mk.conf:1.263	Fri Mar 11 23:03:31 2016
+++ pkgsrc/mk/defaults/mk.conf	Mon Jun 13 13:26:42 2016
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $
+# $NetBSD: mk.conf,v 1.264 2016/06/13 13:26:42 jperkin Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -236,8 +236,12 @@ PKGSRC_USE_RELRO?= no
 # Default: no
 
 PKGSRC_USE_SSP?= no
-# Set this to yes to enable stack-smashing protection (on supported platforms).
-# Possible: yes, no
+# Configure this to enable stack smashing protection (on supported platforms).
+# Possible values:
+#	no:	Do not pass any stack protection flags
+#	yes:	Pass -fstack-protector
+#	strong:	Pass -fstack-protector-strong
+#	all:	Pass -fstack-protector-all
 # Default: no
 
 # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below.


--_----------=_1465824402202530--