diff options
author | ru <ru@FreeBSD.org> | 2008-06-25 21:33:28 +0000 |
---|---|---|
committer | ru <ru@FreeBSD.org> | 2008-06-25 21:33:28 +0000 |
commit | 8735fdbd4ceeb78442804b393d49f5e7f56c1967 (patch) | |
tree | 3821989620f33150162837ccfad067791bb346ca /sys/conf | |
parent | 762f29e950fd1511beb76c95c5014bb779d4f5ed (diff) | |
download | FreeBSD-src-8735fdbd4ceeb78442804b393d49f5e7f56c1967.zip FreeBSD-src-8735fdbd4ceeb78442804b393d49f5e7f56c1967.tar.gz |
Enable GCC stack protection (aka Propolice) for userland:
- It is opt-out for now so as to give it maximum testing, but it may be
turned opt-in for stable branches depending on the consensus. You
can turn it off with WITHOUT_SSP.
- WITHOUT_SSP was previously used to disable the build of GNU libssp.
It is harmless to steal the knob as SSP symbols have been provided
by libc for a long time, GNU libssp should not have been much used.
- SSP is disabled in a few corners such as system bootstrap programs
(sys/boot), process bootstrap code (rtld, csu) and SSP symbols themselves.
- It should be safe to use -fstack-protector-all to build world, however
libc will be automatically downgraded to -fstack-protector because it
breaks rtld otherwise.
- This option is unavailable on ia64.
Enable GCC stack protection (aka Propolice) for kernel:
- It is opt-out for now so as to give it maximum testing.
- Do not compile your kernel with -fstack-protector-all, it won't work.
Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
Diffstat (limited to 'sys/conf')
-rw-r--r-- | sys/conf/files | 2 | ||||
-rw-r--r-- | sys/conf/kern.mk | 7 | ||||
-rw-r--r-- | sys/conf/kern.pre.mk | 5 |
3 files changed, 10 insertions, 4 deletions
diff --git a/sys/conf/files b/sys/conf/files index d558abd..9261e2e 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1608,6 +1608,8 @@ kern/posix4_mib.c standard kern/sched_4bsd.c optional sched_4bsd kern/sched_ule.c optional sched_ule kern/serdev_if.m standard +kern/stack_protector.c standard \ + compile-with "${NORMAL_C:N-fstack-protector*}" kern/subr_acl_posix1e.c standard kern/subr_autoconf.c standard kern/subr_blist.c standard diff --git a/sys/conf/kern.mk b/sys/conf/kern.mk index 9583f69..3741906 100644 --- a/sys/conf/kern.mk +++ b/sys/conf/kern.mk @@ -106,3 +106,10 @@ CFLAGS+= -ffreestanding .if ${CC} == "icc" CFLAGS+= -restrict .endif + +# +# GCC SSP support. +# +.if ${MK_SSP} != "no" && ${CC} != "icc" && ${MACHINE_ARCH} != "ia64" +CFLAGS+= -fstack-protector +.endif diff --git a/sys/conf/kern.pre.mk b/sys/conf/kern.pre.mk index edfcb08..770f3ca 100644 --- a/sys/conf/kern.pre.mk +++ b/sys/conf/kern.pre.mk @@ -3,10 +3,7 @@ # Part of a unified Makefile for building kernels. This part contains all # of the definitions that need to be before %BEFORE_DEPEND. -SRCCONF?= /etc/src.conf -.if exists(${SRCCONF}) -.include "${SRCCONF}" -.endif +.include <bsd.own.mk> # Can be overridden by makeoptions or /etc/make.conf KERNEL_KO?= kernel |