Date: Wed, 15 Oct 2014 08:10:29 +0200 From: Baptiste Daroussin <bapt@FreeBSD.org> To: David Carlier <david.carlier@hardenedbsd.org> Cc: freebsd-arch@freebsd.org Subject: Re: PIE/PIC support on base Message-ID: <20141015061029.GO48641@ivaldir.etoilebsd.net> In-Reply-To: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--DITGHUV3p5DjDsXt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: > Hi all, >=20 > HardenedBSD plans to add PIE support on base in various place. >=20 > These are B. Drewery suggestions : >=20 > The _pic ones are not needed. The main lib file just needs > INSTALL_PIC_ARCHIVE=3Dyes. >=20 > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > something to pull in common logic from share/mk. >=20 > Also I know that, at least for a start, it wished to be applied in some f= ew > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > also casper/capsicum ... ntp ... jail >=20 What would probably be interesting is to list binary by binary on which one= you do want to add the USE_PIE, and with rational explaining why. On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I think cherry-picking what should be PIE is the right regards, Bapt --DITGHUV3p5DjDsXt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlQ+D9UACgkQ8kTtMUmk6Ez50QCfTXKsrIio1tjJNlq9HB3IHzA9 LaIAniLhqLGfVyvOC+1vaMYzxXXEy+rn =iS6c -----END PGP SIGNATURE----- --DITGHUV3p5DjDsXt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141015061029.GO48641>