Fri Aug 25 01:43:17 2017 UTC ()
Add support for PKGSRC_MKPIE with cwrappers

This is based on a patch submitted on 16/04/2017 on tech-pkg@ and
adapted by joerg@ for pkgtools/cwrappers. It only consists in the
missing part to actually generate PIE executables with cwrappers if
configured to do so (currently disabled by default). The aim is really
to produce safer binaries where ASLR is in use.

This part in pkgsrc is only supported on NetBSD (x86) with GCC at the
moment.

Tested on NetBSD/amd64, with and without cwrappers, with and without
PKGSRC_MKPIE (all four combinations).


(khorben)
diff -r1.28 -r1.29 pkgsrc/mk/cwrappers.mk
diff -r1.182 -r1.183 pkgsrc/mk/compiler/gcc.mk
cvs diff -r1.28 -r1.29 pkgsrc/mk/cwrappers.mk (expand / switch to unified diff)

--- pkgsrc/mk/cwrappers.mk 2017/05/04 18:30:56 1.28
+++ pkgsrc/mk/cwrappers.mk 2017/08/25 01:43:17 1.29
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: cwrappers.mk,v 1.28 2017/05/04 18:30:56 joerg Exp $ 1# $NetBSD: cwrappers.mk,v 1.29 2017/08/25 01:43:17 khorben Exp $
2# 2#
3# This Makefile fragment implements integration of pkgtools/cwrappers. 3# This Makefile fragment implements integration of pkgtools/cwrappers.
4 4
5.include "../../mk/wrapper/wrapper-defs.mk" 5.include "../../mk/wrapper/wrapper-defs.mk"
6.include "../../mk/buildlink3/bsd.buildlink3.mk" 6.include "../../mk/buildlink3/bsd.buildlink3.mk"
7 7
8BUILD_DEPENDS+= cwrappers>=20150314:../../pkgtools/cwrappers 8BUILD_DEPENDS+= cwrappers>=20150314:../../pkgtools/cwrappers
9 9
10# XXX This should be PREFIX, but USE_CROSSBASE overrides it. 10# XXX This should be PREFIX, but USE_CROSSBASE overrides it.
11CWRAPPERS_SRC_DIR= ${LOCALBASE}/libexec/cwrappers 11CWRAPPERS_SRC_DIR= ${LOCALBASE}/libexec/cwrappers
12CWRAPPERS_CONFIG_DIR= ${WRKDIR}/.cwrapper/config 12CWRAPPERS_CONFIG_DIR= ${WRKDIR}/.cwrapper/config
13CONFIGURE_ENV+= CWRAPPERS_CONFIG_DIR=${CWRAPPERS_CONFIG_DIR} 13CONFIGURE_ENV+= CWRAPPERS_CONFIG_DIR=${CWRAPPERS_CONFIG_DIR}
14MAKE_ENV+= CWRAPPERS_CONFIG_DIR=${CWRAPPERS_CONFIG_DIR} 14MAKE_ENV+= CWRAPPERS_CONFIG_DIR=${CWRAPPERS_CONFIG_DIR}
@@ -78,26 +78,29 @@ generate-cwrappers: @@ -78,26 +78,29 @@ generate-cwrappers:
78. endfor 78. endfor
79. for cmd in ${CWRAPPERS_APPEND.${wrappee}:U} 79. for cmd in ${CWRAPPERS_APPEND.${wrappee}:U}
80 ${RUN}echo append=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}} 80 ${RUN}echo append=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
81. endfor 81. endfor
82. for cmd in ${CWRAPPERS_PREPEND.${wrappee}:U} 82. for cmd in ${CWRAPPERS_PREPEND.${wrappee}:U}
83 ${RUN}echo prepend=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}} 83 ${RUN}echo prepend=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
84. endfor 84. endfor
85. for cmd in ${_CWRAPPERS_UNWRAP} 85. for cmd in ${_CWRAPPERS_UNWRAP}
86 ${RUN}echo unwrap=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}} 86 ${RUN}echo unwrap=${cmd:Q} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
87. endfor 87. endfor
88. for alias in ${CWRAPPERS_ALIASES.${wrappee}} 88. for alias in ${CWRAPPERS_ALIASES.${wrappee}}
89 ${RUN}ln -s ${CWRAPPERS_SRC_DIR}/${CWRAPPERS_CONFIG.${wrappee}}-wrapper ${WRAPPER_BINDIR}/${alias} 89 ${RUN}ln -s ${CWRAPPERS_SRC_DIR}/${CWRAPPERS_CONFIG.${wrappee}}-wrapper ${WRAPPER_BINDIR}/${alias}
90. endfor 90. endfor
 91. if ${_PKGSRC_MKPIE} == "yes"
 92 ${RUN}echo append_executable=${_MKPIE_LDFLAGS.gcc} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
 93. endif
91.endfor 94.endfor
92 95
93PREPEND_PATH+= ${WRAPPER_BINDIR} 96PREPEND_PATH+= ${WRAPPER_BINDIR}
94 97
95_COOKIE.wrapper= ${WRKDIR}/.wrapper_done 98_COOKIE.wrapper= ${WRKDIR}/.wrapper_done
96 99
97.PHONY: wrapper 100.PHONY: wrapper
98.if !target(wrapper) 101.if !target(wrapper)
99. if exists(${_COOKIE.wrapper}) 102. if exists(${_COOKIE.wrapper})
100wrapper: 103wrapper:
101 @${DO_NADA} 104 @${DO_NADA}
102. elif defined(_PKGSRC_BARRIER) 105. elif defined(_PKGSRC_BARRIER)
103wrapper: check-vulnerable patch acquire-wrapper-lock ${_COOKIE.wrapper} release-wrapper-lock 106wrapper: check-vulnerable patch acquire-wrapper-lock ${_COOKIE.wrapper} release-wrapper-lock
cvs diff -r1.182 -r1.183 pkgsrc/mk/compiler/gcc.mk (expand / switch to unified diff)

--- pkgsrc/mk/compiler/gcc.mk 2017/08/04 08:53:33 1.182
+++ pkgsrc/mk/compiler/gcc.mk 2017/08/25 01:43:17 1.183
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: gcc.mk,v 1.182 2017/08/04 08:53:33 jperkin Exp $ 1# $NetBSD: gcc.mk,v 1.183 2017/08/25 01:43:17 khorben Exp $
2# 2#
3# This is the compiler definition for the GNU Compiler Collection. 3# This is the compiler definition for the GNU Compiler Collection.
4# 4#
5# User-settable variables: 5# User-settable variables:
6# 6#
7# GCCBASE 7# GCCBASE
8# If using a native GCC and the compiler is not in $PATH then 8# If using a native GCC and the compiler is not in $PATH then
9# this should be set to the base installation directory. 9# this should be set to the base installation directory.
10# 10#
11# USE_NATIVE_GCC 11# USE_NATIVE_GCC
12# When set to "yes", the native gcc is used, no matter which 12# When set to "yes", the native gcc is used, no matter which
13# compiler version a package requires. 13# compiler version a package requires.
14# 14#
@@ -326,34 +326,34 @@ _LANGUAGES.gcc= # empty @@ -326,34 +326,34 @@ _LANGUAGES.gcc= # empty
326_LANGUAGES.gcc+= ${LANGUAGES.gcc:M${_lang_}} 326_LANGUAGES.gcc+= ${LANGUAGES.gcc:M${_lang_}}
327.endfor 327.endfor
328 328
329.if !empty(USE_LANGUAGES:Mc99) 329.if !empty(USE_LANGUAGES:Mc99)
330_WRAP_EXTRA_ARGS.CC+= -std=gnu99 330_WRAP_EXTRA_ARGS.CC+= -std=gnu99
331CWRAPPERS_APPEND.cc+= -std=gnu99 331CWRAPPERS_APPEND.cc+= -std=gnu99
332.endif 332.endif
333 333
334.if ${OPSYS} == "NetBSD" 334.if ${OPSYS} == "NetBSD"
335_MKPIE_CFLAGS.gcc= -fPIC 335_MKPIE_CFLAGS.gcc= -fPIC
336# XXX for executables it should be: 336# XXX for executables it should be:
337#_MKPIE_CFLAGS.gcc= -fPIE 337#_MKPIE_CFLAGS.gcc= -fPIE
338# XXX for libraries a sink wrapper around gcc is required and used instead 338# XXX for libraries a sink wrapper around gcc is required and used instead
339#_MKPIE_LDFLAGS.gcc= -pie 339_MKPIE_LDFLAGS.gcc= -pie
340.endif 340.endif
341 341
342.if ${_PKGSRC_MKPIE} == "yes" 342.if ${_PKGSRC_MKPIE} == "yes"
343_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc} 343_GCC_CFLAGS+= ${_MKPIE_CFLAGS.gcc}
344_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc} 344#_GCC_LDFLAGS+= ${_MKPIE_LDFLAGS.gcc}
345CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc} 345CWRAPPERS_APPEND.cc+= ${_MKPIE_CFLAGS.gcc}
346# XXX this differs for libraries and executables 346# this differs for libraries and executables (handled in mk/cwrappers.mk)
347# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc} 347# CWRAPPERS_APPEND.ld+= ${_MKPIE_LDFLAGS.gcc}
348.endif 348.endif
349 349
350# The user can choose the level of FORTIFY. 350# The user can choose the level of FORTIFY.
351.if ${PKGSRC_USE_FORTIFY} == "weak" 351.if ${PKGSRC_USE_FORTIFY} == "weak"
352_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=1 352_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=1
353.else 353.else
354_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=2 354_FORTIFY_CFLAGS= -D_FORTIFY_SOURCE=2
355.endif 355.endif
356 356
357.if ${_PKGSRC_USE_FORTIFY} == "yes" 357.if ${_PKGSRC_USE_FORTIFY} == "yes"
358_GCC_CFLAGS+= ${_FORTIFY_CFLAGS} 358_GCC_CFLAGS+= ${_FORTIFY_CFLAGS}
359CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS} 359CWRAPPERS_APPEND.cc+= ${_FORTIFY_CFLAGS}