From owner-freebsd-arch@FreeBSD.ORG Thu Oct 16 18:21:45 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E9F6EB17 for ; Thu, 16 Oct 2014 18:21:45 +0000 (UTC) Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D237B26 for ; Thu, 16 Oct 2014 18:21:45 +0000 (UTC) Received: by mail-la0-f41.google.com with SMTP id pn19so3419523lab.0 for ; Thu, 16 Oct 2014 11:21:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=aJPvKkX+sMcR6zwMdzfEdx1V19IrCRrzkyryOVbHgyc=; b=BwrWmeNIBY/GRn0Nl1vFkB8btTVI9KdOaf5RWuwN11PugFszY5PAaav4gQgpqj/4Ng b5QJCiD12MZKIhdZyQzXBq5Qu+lm6ZbL3ppuZVDQCMmfr1/JiH3iaUJixPsgOTy+pZBh zBncB1hmPmNOOZj1quzbWh4MUgygwFPMiUfJEf0VqJnIxB/VrGGMXpHdi+k1/ynj1g+K t+i3E29+HnyhDPeIHrmPjhcHFh2YxuZ1bUSMMP+GFBjRpCip6HyY/1RjUEyKmIuGOK5Z bWRviGY6G6zF2WuWNLWOWJ+O2iY3apZ20eyH/HbDPYhrC3DDy/SWE6wVhcRJlq3A+YeH AK6A== X-Gm-Message-State: ALoCoQmb/e2CrvDX0Jm/pzMr7B3c60dYZQfHzWwBTECpbXBVEj/OWz+SOCPRXlwH/CeDlTN5LgoB MIME-Version: 1.0 X-Received: by 10.112.97.135 with SMTP id ea7mr3583350lbb.46.1413483702905; Thu, 16 Oct 2014 11:21:42 -0700 (PDT) Received: by 10.25.23.85 with HTTP; Thu, 16 Oct 2014 11:21:42 -0700 (PDT) X-Originating-IP: [80.111.192.87] In-Reply-To: References: Date: Thu, 16 Oct 2014 19:21:42 +0100 Message-ID: Subject: Re: PIE/PIC support on base From: David Carlier To: Jeremie Le Hen , freebsd-arch@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2014 18:21:46 -0000 I chose the "atomic" approach, at the moment very few binaries are concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if you include (which include ...) otherwise other binaries include as usual hence does not apply. Look reasonable approach ? On Thu, Oct 16, 2014 at 10:35 AM, Jeremie Le Hen wrote: > Hi David, > > On Tue, Oct 14, 2014 at 12:02 AM, David Carlier > wrote: > > Hi all, > > > > HardenedBSD plans to add PIE support on base in various place. > > > > These are B. Drewery suggestions : > > > > The _pic ones are not needed. The main lib file just needs > > INSTALL_PIC_ARCHIVE=yes. > > > > Modifying CFLAGS in every Makefile is not right, just add a USE_PIE or > > something to pull in common logic from share/mk. > > > > Also I know that, at least for a start, it wished to be applied in some > few > > places, like tcpdump/traceroute, sendmail ... shells ... I thought about > > also casper/capsicum ... ntp ... jail > > Is it worth the time spent? I mean, what is the drawback of enabling > PIE "world"-wide and provide a setting which can be used globally or > per-lib/binary to override this? This is what I did back when SSP was > introduced. > > Just to save one round trip in case someone answers that PIE binaries > are slower: I think this claim needs a benchmark :). > > -- > Jeremie Le Hen > jlh@FreeBSD.org >