From owner-freebsd-arch@FreeBSD.ORG Wed Oct 15 06:10:35 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6236ED11 for ; Wed, 15 Oct 2014 06:10:35 +0000 (UTC) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E92B815E for ; Wed, 15 Oct 2014 06:10:34 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id d1so11918586wiv.8 for ; Tue, 14 Oct 2014 23:10:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=h/JcgTTaCKYG3S0hs1X4jmTdALhtpgqPKT1jO0PIpC0=; b=kTyypTuPxUXaKpOavozNnBx9IvFwgZh44DYQwL/+y++pk5kt3uYQj3N6NOu3HLUMUk 9tDs1FE7YiPT/JoXo7xYQku1jrE+QkEGdrOvT75OEkLgb+ssaXdKkYjIGzfAJ0JGnYII PlehrrqqbmU8tcSW4EflvbpsGEEX0JjqaQZqlqUeynQaq8/FfG54SW3wS2a9KlxmmVMB L0HGyQd75fXYnU80ruvUwj/e/bVa7Iabf3S2hIW/yK7+LaI7Zb4olDxKkKrP0VbVGdmt NhoBlBwbNLz2cBgU2yVDbBnyr7Ogvy1AIzp44hhMe2OmMbnp/DfE/qpKgLekvj2qZ2mZ Bo9Q== X-Received: by 10.180.188.229 with SMTP id gd5mr10119973wic.25.1413353433107; Tue, 14 Oct 2014 23:10:33 -0700 (PDT) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id xm4sm18047854wib.9.2014.10.14.23.10.31 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Oct 2014 23:10:31 -0700 (PDT) Sender: Baptiste Daroussin Date: Wed, 15 Oct 2014 08:10:29 +0200 From: Baptiste Daroussin To: David Carlier Subject: Re: PIE/PIC support on base Message-ID: <20141015061029.GO48641@ivaldir.etoilebsd.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DITGHUV3p5DjDsXt" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 06:10:35 -0000 --DITGHUV3p5DjDsXt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: > Hi all, >=20 > HardenedBSD plans to add PIE support on base in various place. >=20 > These are B. Drewery suggestions : >=20 > The _pic ones are not needed. The main lib file just needs > INSTALL_PIC_ARCHIVE=3Dyes. >=20 > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > something to pull in common logic from share/mk. >=20 > Also I know that, at least for a start, it wished to be applied in some f= ew > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > also casper/capsicum ... ntp ... jail >=20 What would probably be interesting is to list binary by binary on which one= you do want to add the USE_PIE, and with rational explaining why. On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I think cherry-picking what should be PIE is the right regards, Bapt --DITGHUV3p5DjDsXt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlQ+D9UACgkQ8kTtMUmk6Ez50QCfTXKsrIio1tjJNlq9HB3IHzA9 LaIAniLhqLGfVyvOC+1vaMYzxXXEy+rn =iS6c -----END PGP SIGNATURE----- --DITGHUV3p5DjDsXt--