diff options
| author | ru <ru@FreeBSD.org> | 2008-06-25 21:33:28 +0000 |
|---|---|---|
| committer | ru <ru@FreeBSD.org> | 2008-06-25 21:33:28 +0000 |
| commit | 8735fdbd4ceeb78442804b393d49f5e7f56c1967 (patch) | |
| tree | 3821989620f33150162837ccfad067791bb346ca /lib | |
| parent | 762f29e950fd1511beb76c95c5014bb779d4f5ed (diff) | |
| download | FreeBSD-src-8735fdbd4ceeb78442804b393d49f5e7f56c1967.zip FreeBSD-src-8735fdbd4ceeb78442804b393d49f5e7f56c1967.tar.gz | |
Enable GCC stack protection (aka Propolice) for userland:
- It is opt-out for now so as to give it maximum testing, but it may be
turned opt-in for stable branches depending on the consensus. You
can turn it off with WITHOUT_SSP.
- WITHOUT_SSP was previously used to disable the build of GNU libssp.
It is harmless to steal the knob as SSP symbols have been provided
by libc for a long time, GNU libssp should not have been much used.
- SSP is disabled in a few corners such as system bootstrap programs
(sys/boot), process bootstrap code (rtld, csu) and SSP symbols themselves.
- It should be safe to use -fstack-protector-all to build world, however
libc will be automatically downgraded to -fstack-protector because it
breaks rtld otherwise.
- This option is unavailable on ia64.
Enable GCC stack protection (aka Propolice) for kernel:
- It is opt-out for now so as to give it maximum testing.
- Do not compile your kernel with -fstack-protector-all, it won't work.
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/csu/Makefile.inc | 3 | ||||
| -rw-r--r-- | lib/libc/Makefile | 6 | ||||
| -rw-r--r-- | lib/libstand/Makefile | 1 | ||||
| -rw-r--r-- | lib/libthr/Makefile | 2 |
4 files changed, 12 insertions, 0 deletions
diff --git a/lib/csu/Makefile.inc b/lib/csu/Makefile.inc new file mode 100644 index 0000000..09bde81 --- /dev/null +++ b/lib/csu/Makefile.inc @@ -0,0 +1,3 @@ +# $FreeBSD$ + +WITHOUT_SSP= diff --git a/lib/libc/Makefile b/lib/libc/Makefile index 2caf0a1..2d97fbe 100644 --- a/lib/libc/Makefile +++ b/lib/libc/Makefile @@ -122,3 +122,9 @@ libkern.${MACHINE_ARCH}:: ${KMSRCS} # Disable warnings in contributed sources. CWARNFLAGS:= ${.IMPSRC:Ngdtoa_*.c:C/^.+$/${CWARNFLAGS}/} +# XXX For now, we don't allow libc to be compiled with +# -fstack-protector-all because it breaks rtld. We may want to make a librtld +# in the future to circumvent this. +SSP_CFLAGS:= ${SSP_CFLAGS:S/^-fstack-protector-all$/-fstack-protector/} +# Disable stack protection for SSP symbols. +SSP_CFLAGS:= ${.IMPSRC:N*/stack_protector.c:C/^.+$/${SSP_CFLAGS}/} diff --git a/lib/libstand/Makefile b/lib/libstand/Makefile index c7daea1..18f4add 100644 --- a/lib/libstand/Makefile +++ b/lib/libstand/Makefile @@ -12,6 +12,7 @@ NO_PIC= INCS= stand.h MAN= libstand.3 +WITHOUT_SSP= CFLAGS+= -ffreestanding -Wformat CFLAGS+= -I${.CURDIR} diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile index cc707a0..3a172bb 100644 --- a/lib/libthr/Makefile +++ b/lib/libthr/Makefile @@ -8,6 +8,8 @@ # (for system call stubs) to CFLAGS below. -DSYSLIBC_SCCS affects just the # system call stubs. +WITHOUT_SSP= + .include <bsd.own.mk> .if ${SHLIBDIR} == "/usr/lib" |
