From owner-freebsd-arch@FreeBSD.ORG Wed Oct 15 14:17:39 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8DFA189C; Wed, 15 Oct 2014 14:17:39 +0000 (UTC) Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 628B6D2E; Wed, 15 Oct 2014 14:17:39 +0000 (UTC) Received: from [73.34.117.227] (helo=ilsoft.org) by mho-02-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1XePOU-0000k4-DM; Wed, 15 Oct 2014 14:17:38 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by ilsoft.org (8.14.9/8.14.9) with ESMTP id s9FEHbAC049294; Wed, 15 Oct 2014 08:17:37 -0600 (MDT) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 73.34.117.227 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX188yjPU2zuBSEbu1WS7tVVI X-Authentication-Warning: paranoia.hippie.lan: Host revolution.hippie.lan [172.22.42.240] claimed to be [172.22.42.240] Subject: Re: PIE/PIC support on base From: Ian Lepore To: Baptiste Daroussin In-Reply-To: <20141015061029.GO48641@ivaldir.etoilebsd.net> References: <20141015061029.GO48641@ivaldir.etoilebsd.net> Content-Type: text/plain; charset="us-ascii" Date: Wed, 15 Oct 2014 08:17:36 -0600 Message-ID: <1413382656.12052.446.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: David Carlier , freebsd-arch@freebsd.org X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 14:17:39 -0000 On Wed, 2014-10-15 at 08:10 +0200, Baptiste Daroussin wrote: > On Mon, Oct 13, 2014 at 11:02:27PM +0100, David Carlier wrote: > > Hi all, > > > > HardenedBSD plans to add PIE support on base in various place. > > > > These are B. Drewery suggestions : > > > > The _pic ones are not needed. The main lib file just needs > > INSTALL_PIC_ARCHIVE=yes. > > > > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > > something to pull in common logic from share/mk. > > > > Also I know that, at least for a start, it wished to be applied in some few > > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > > also casper/capsicum ... ntp ... jail > > > What would probably be interesting is to list binary by binary on which one you > do want to add the USE_PIE, and with rational explaining why. > > On some OS you often can see ssh(1) not being PIE while sshd(8) have PIE. I > think cherry-picking what should be PIE is the right > > regards, > Bapt As long as there's some sort of global knob that says "I want to opt out of this completely regardless of finer-grained controls to the contrary in other makefiles." -- Ian