Date: Thu, 16 Oct 2014 19:21:42 +0100 From: David Carlier <david.carlier@hardenedbsd.org> To: Jeremie Le Hen <jlh@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: PIE/PIC support on base Message-ID: <CAMe1fxaBEc5T77xjpRsMi_kkc5LXwPGooLWTO9C1FJcLSPnO8w@mail.gmail.com> In-Reply-To: <CAGSa5y3s9r0DRyinfqV=PJc_BT=Em-SLfwhD25nP0=6ki9pHWw@mail.gmail.com> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> <CAGSa5y3s9r0DRyinfqV=PJc_BT=Em-SLfwhD25nP0=6ki9pHWw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I chose the "atomic" approach, at the moment very few binaries are concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if you include <bsd.prog.pie.mk> (which include <bsd.prog.mk>...) otherwise other binaries include <bsd.prog.mk> as usual hence does not apply. Look reasonable approach ? On Thu, Oct 16, 2014 at 10:35 AM, Jeremie Le Hen <jlh@freebsd.org> wrote: > Hi David, > > On Tue, Oct 14, 2014 at 12:02 AM, David Carlier > <david.carlier@hardenedbsd.org> wrote: > > Hi all, > > > > HardenedBSD plans to add PIE support on base in various place. > > > > These are B. Drewery suggestions : > > > > The _pic ones are not needed. The main lib file just needs > > INSTALL_PIC_ARCHIVE=yes. > > > > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > > something to pull in common logic from share/mk. > > > > Also I know that, at least for a start, it wished to be applied in some > few > > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > > also casper/capsicum ... ntp ... jail > > Is it worth the time spent? I mean, what is the drawback of enabling > PIE "world"-wide and provide a setting which can be used globally or > per-lib/binary to override this? This is what I did back when SSP was > introduced. > > Just to save one round trip in case someone answers that PIE binaries > are slower: I think this claim needs a benchmark :). > > -- > Jeremie Le Hen > jlh@FreeBSD.org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMe1fxaBEc5T77xjpRsMi_kkc5LXwPGooLWTO9C1FJcLSPnO8w>