Date: Wed, 15 Oct 2014 08:17:36 -0600 From: Ian Lepore <ian@FreeBSD.org> To: Baptiste Daroussin <bapt@FreeBSD.org> Cc: David Carlier <david.carlier@hardenedbsd.org>, freebsd-arch@freebsd.org Subject: Re: PIE/PIC support on base Message-ID: <1413382656.12052.446.camel@revolution.hippie.lan> In-Reply-To: <20141015061029.GO48641@ivaldir.etoilebsd.net> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> <20141015061029.GO48641@ivaldir.etoilebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2014-10-15 at 08:10 +0200, Baptiste Daroussin wrote: > On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: > > Hi all, > > > > HardenedBSD plans to add PIE support on base in various place. > > > > These are B. Drewery suggestions : > > > > The _pic ones are not needed. The main lib file just needs > > INSTALL_PIC_ARCHIVE=yes. > > > > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > > something to pull in common logic from share/mk. > > > > Also I know that, at least for a start, it wished to be applied in some few > > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > > also casper/capsicum ... ntp ... jail > > > What would probably be interesting is to list binary by binary on which one you > do want to add the USE_PIE, and with rational explaining why. > > On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I > think cherry-picking what should be PIE is the right > > regards, > Bapt As long as there's some sort of global knob that says "I want to opt out of this completely regardless of finer-grained controls to the contrary in other makefiles." -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1413382656.12052.446.camel>