From owner-svn-src-all@freebsd.org Fri Feb 15 22:22:42 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A10E614EB9C8; Fri, 15 Feb 2019 22:22:41 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3C4DB885EE; Fri, 15 Feb 2019 22:22:41 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1865E24FE1; Fri, 15 Feb 2019 22:22:41 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1FMMeeg002306; Fri, 15 Feb 2019 22:22:40 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1FMMc9B002292; Fri, 15 Feb 2019 22:22:38 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201902152222.x1FMMc9B002292@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Fri, 15 Feb 2019 22:22:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344179 - in head: kerberos5/tools/asn1_compile kerberos5/tools/slc lib/clang libexec/rtld-elf share/mk stand/i386 tools/build/options usr.bin/clang usr.bin/svn X-SVN-Group: head X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: in head: kerberos5/tools/asn1_compile kerberos5/tools/slc lib/clang libexec/rtld-elf share/mk stand/i386 tools/build/options usr.bin/clang usr.bin/svn X-SVN-Commit-Revision: 344179 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 3C4DB885EE X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.957,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 22:22:42 -0000 Author: emaste Date: Fri Feb 15 22:22:38 2019 New Revision: 344179 URL: https://svnweb.freebsd.org/changeset/base/344179 Log: Add WITH_PIE knob to build Position Independent Executables Building binaries as PIE allows the executable itself to be loaded at a random address when ASLR is enabled (not just its shared libraries). With this change PIE objects have a .pieo extension and INTERNALLIB libraries libXXX_pie.a. MK_PIE is disabled for some kerberos5 tools, Clang, and Subversion, as they explicitly reference .a libraries in their Makefiles. These can be addressed on an individual basis later. MK_PIE is also disabled for rtld-elf because it is already position-independent using bespoke Makefile rules. Currently only dynamically linked binaries will be built as PIE. Discussed with: dim Reviewed by: kib MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D18423 Added: head/tools/build/options/WITHOUT_PIE (contents, props changed) head/tools/build/options/WITH_PIE (contents, props changed) Modified: head/kerberos5/tools/asn1_compile/Makefile head/kerberos5/tools/slc/Makefile head/lib/clang/Makefile.inc head/libexec/rtld-elf/Makefile head/share/mk/bsd.lib.mk head/share/mk/bsd.opts.mk head/share/mk/bsd.prog.mk head/share/mk/src.libnames.mk head/stand/i386/Makefile.inc head/usr.bin/clang/Makefile.inc head/usr.bin/svn/Makefile.inc Modified: head/kerberos5/tools/asn1_compile/Makefile ============================================================================== --- head/kerberos5/tools/asn1_compile/Makefile Fri Feb 15 21:50:45 2019 (r344178) +++ head/kerberos5/tools/asn1_compile/Makefile Fri Feb 15 22:22:38 2019 (r344179) @@ -6,6 +6,7 @@ LIBROKEN_A= ${.OBJDIR:H:H}/lib/libroken/libroken.a LIBADD= vers LDADD= ${LIBROKEN_A} DPADD= ${LIBROKEN_A} +MK_PIE:= no SRCS= \ asn1parse.y \ Modified: head/kerberos5/tools/slc/Makefile ============================================================================== --- head/kerberos5/tools/slc/Makefile Fri Feb 15 21:50:45 2019 (r344178) +++ head/kerberos5/tools/slc/Makefile Fri Feb 15 22:22:38 2019 (r344179) @@ -6,6 +6,7 @@ LIBADD= vers LDADD= ${LIBROKEN_A} DPADD= ${LIBROKEN_A} MAN= +MK_PIE:= no SRCS= roken.h \ slc-gram.y \ Modified: head/lib/clang/Makefile.inc ============================================================================== --- head/lib/clang/Makefile.inc Fri Feb 15 21:50:45 2019 (r344178) +++ head/lib/clang/Makefile.inc Fri Feb 15 22:22:38 2019 (r344179) @@ -2,6 +2,8 @@ .include +MK_PIE:= no # Explicit libXXX.a references + .if ${COMPILER_TYPE} == "clang" DEBUG_FILES_CFLAGS= -gline-tables-only .else Modified: head/libexec/rtld-elf/Makefile ============================================================================== --- head/libexec/rtld-elf/Makefile Fri Feb 15 21:50:45 2019 (r344178) +++ head/libexec/rtld-elf/Makefile Fri Feb 15 22:22:38 2019 (r344179) @@ -7,6 +7,7 @@ .include PACKAGE= clibs MK_BIND_NOW= no +MK_PIE= no # Always position independent using local rules MK_SSP= no CONFS= libmap.conf Modified: head/share/mk/bsd.lib.mk ============================================================================== --- head/share/mk/bsd.lib.mk Fri Feb 15 21:50:45 2019 (r344178) +++ head/share/mk/bsd.lib.mk Fri Feb 15 22:22:38 2019 (r344179) @@ -91,13 +91,16 @@ CTFFLAGS+= -g # prefer .s to a .c, add .po, remove stuff not used in the BSD libraries # .pico used for PIC object files # .nossppico used for NOSSP PIC object files -.SUFFIXES: .out .o .bc .ll .po .pico .nossppico .S .asm .s .c .cc .cpp .cxx .C .f .y .l .ln +# .pieo used for PIE object files +.SUFFIXES: .out .o .bc .ll .po .pico .nossppico .pieo .S .asm .s .c .cc .cpp .cxx .C .f .y .l .ln .if !defined(PICFLAG) .if ${MACHINE_CPUARCH} == "sparc64" PICFLAG=-fPIC +PIEFLAG=-fPIE .else PICFLAG=-fpic +PIEFLAG=-fpie .endif .endif @@ -115,6 +118,10 @@ PO_FLAG=-pg ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//} ${CFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} +.c.pieo: + ${CC} ${PIEFLAG} -DPIC ${SHARED_CFLAGS} ${CFLAGS} -c ${.IMPSRC} -o ${.TARGET} + ${CTFCONVERT_CMD} + .cc.po .C.po .cpp.po .cxx.po: ${CXX} ${PO_FLAG} ${STATIC_CXXFLAGS} ${PO_CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} @@ -124,6 +131,9 @@ PO_FLAG=-pg .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico: ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET} +.cc.pieo .C.pieo .cpp.pieo .cxx.pieo: + ${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} + .f.po: ${FC} -pg ${FFLAGS} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} @@ -136,7 +146,7 @@ PO_FLAG=-pg ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} -.s.po .s.pico .s.nossppico: +.s.po .s.pico .s.nossppico .s.pieo: ${AS} ${AFLAGS} -o ${.TARGET} ${.IMPSRC} ${CTFCONVERT_CMD} @@ -155,6 +165,11 @@ PO_FLAG=-pg ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} +.asm.pieo: + ${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PIEFLAG} -DPIC \ + ${CFLAGS} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} + ${CTFCONVERT_CMD} + .S.po: ${CC:N${CCACHE_BIN}} -DPROF ${PO_CFLAGS} ${ACFLAGS} -c ${.IMPSRC} \ -o ${.TARGET} @@ -170,6 +185,11 @@ PO_FLAG=-pg -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} +.S.pieo: + ${CC:N${CCACHE_BIN}} ${PIEFLAG} -DPIC ${CFLAGS} ${ACFLAGS} \ + -c ${.IMPSRC} -o ${.TARGET} + ${CTFCONVERT_CMD} + _LIBDIR:=${LIBDIR} _SHLIBDIR:=${SHLIBDIR} @@ -333,6 +353,20 @@ lib${LIB_PRIVATE}${LIB}_nossp_pic.a: ${NOSSPSOBJS} .endif .endif # !defined(INTERNALLIB) + +.if defined(INTERNALLIB) && ${MK_PIE} != "no" +PIEOBJS+= ${OBJS:.o=.pieo} +DEPENDOBJS+= ${PIEOBJS} +CLEANFILES+= ${PIEOBJS} + +_LIBS+= lib${LIB_PRIVATE}${LIB}_pie.a + +lib${LIB_PRIVATE}${LIB}_pie.a: ${PIEOBJS} + @${ECHO} building pie ${LIB} library + @rm -f ${.TARGET} + ${AR} ${ARFLAGS} ${.TARGET} ${PIEOBJS} ${ARADD} + ${RANLIB} ${RANLIBFLAGS} ${.TARGET} +.endif .if defined(_SKIP_BUILD) all: Modified: head/share/mk/bsd.opts.mk ============================================================================== --- head/share/mk/bsd.opts.mk Fri Feb 15 21:50:45 2019 (r344178) +++ head/share/mk/bsd.opts.mk Fri Feb 15 22:22:38 2019 (r344179) @@ -73,6 +73,7 @@ __DEFAULT_NO_OPTIONS = \ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ + PIE \ RETPOLINE \ STALE_STAGED Modified: head/share/mk/bsd.prog.mk ============================================================================== --- head/share/mk/bsd.prog.mk Fri Feb 15 21:50:45 2019 (r344178) +++ head/share/mk/bsd.prog.mk Fri Feb 15 22:22:38 2019 (r344179) @@ -38,6 +38,12 @@ MK_DEBUG_FILES= no .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_PIE} != "no" && \ + !defined(NO_SHARED) || ${NO_SHARED} == "no" || ${NO_SHARED} == "NO" +CFLAGS+= -fPIE +CXXFLAGS+= -fPIE +LDFLAGS+= -pie +.endif .if ${MK_RETPOLINE} != "no" CFLAGS+= -mretpoline CXXFLAGS+= -mretpoline Modified: head/share/mk/src.libnames.mk ============================================================================== --- head/share/mk/src.libnames.mk Fri Feb 15 21:50:45 2019 (r344178) +++ head/share/mk/src.libnames.mk Fri Feb 15 22:22:38 2019 (r344179) @@ -368,6 +368,10 @@ LDADD_atf_cxx= -lprivateatf-c++ LIB${_l:tu}?= ${LIBDESTDIR}${LIBDIR_BASE}/libprivate${_l}.a .endfor +.if ${MK_PIE} != "no" +PIE_SUFFIX= _pie +.endif + .for _l in ${_LIBRARIES} .if ${_INTERNALLIBS:M${_l}} || !defined(SYSROOT) LDADD_${_l}_L+= -L${LIB${_l:tu}DIR} @@ -375,6 +379,8 @@ LDADD_${_l}_L+= -L${LIB${_l:tu}DIR} DPADD_${_l}?= ${LIB${_l:tu}} .if ${_PRIVATELIBS:M${_l}} LDADD_${_l}?= -lprivate${_l} +.elif ${_INTERNALLIBS:M${_l}} +LDADD_${_l}?= ${LDADD_${_l}_L} -l${_l:S/${PIE_SUFFIX}//}${PIE_SUFFIX} .else LDADD_${_l}?= ${LDADD_${_l}_L} -l${_l} .endif @@ -418,69 +424,69 @@ LDADD+= ${LDADD_${_l}} # INTERNALLIB definitions. LIBELFTCDIR= ${OBJTOP}/lib/libelftc -LIBELFTC?= ${LIBELFTCDIR}/libelftc.a +LIBELFTC?= ${LIBELFTCDIR}/libelftc${PIE_SUFFIX}.a LIBPEDIR= ${OBJTOP}/lib/libpe -LIBPE?= ${LIBPEDIR}/libpe.a +LIBPE?= ${LIBPEDIR}/libpe${PIE_SUFFIX}.a LIBOPENBSDDIR= ${OBJTOP}/lib/libopenbsd -LIBOPENBSD?= ${LIBOPENBSDDIR}/libopenbsd.a +LIBOPENBSD?= ${LIBOPENBSDDIR}/libopenbsd${PIE_SUFFIX}.a LIBSMDIR= ${OBJTOP}/lib/libsm -LIBSM?= ${LIBSMDIR}/libsm.a +LIBSM?= ${LIBSMDIR}/libsm${PIE_SUFFIX}.a LIBSMDBDIR= ${OBJTOP}/lib/libsmdb -LIBSMDB?= ${LIBSMDBDIR}/libsmdb.a +LIBSMDB?= ${LIBSMDBDIR}/libsmdb${PIE_SUFFIX}.a LIBSMUTILDIR= ${OBJTOP}/lib/libsmutil -LIBSMUTIL?= ${LIBSMUTILDIR}/libsmutil.a +LIBSMUTIL?= ${LIBSMUTILDIR}/libsmutil${PIE_SUFFIX}.a LIBNETBSDDIR?= ${OBJTOP}/lib/libnetbsd -LIBNETBSD?= ${LIBNETBSDDIR}/libnetbsd.a +LIBNETBSD?= ${LIBNETBSDDIR}/libnetbsd${PIE_SUFFIX}.a LIBVERSDIR?= ${OBJTOP}/kerberos5/lib/libvers -LIBVERS?= ${LIBVERSDIR}/libvers.a +LIBVERS?= ${LIBVERSDIR}/libvers${PIE_SUFFIX}.a LIBSLDIR= ${OBJTOP}/kerberos5/lib/libsl -LIBSL?= ${LIBSLDIR}/libsl.a +LIBSL?= ${LIBSLDIR}/libsl${PIE_SUFFIX}.a LIBIPFDIR= ${OBJTOP}/sbin/ipf/libipf -LIBIPF?= ${LIBIPFDIR}/libipf.a +LIBIPF?= ${LIBIPFDIR}/libipf${PIE_SUFFIX}.a LIBTELNETDIR= ${OBJTOP}/lib/libtelnet -LIBTELNET?= ${LIBTELNETDIR}/libtelnet.a +LIBTELNET?= ${LIBTELNETDIR}/libtelnet${PIE_SUFFIX}.a LIBCRONDIR= ${OBJTOP}/usr.sbin/cron/lib -LIBCRON?= ${LIBCRONDIR}/libcron.a +LIBCRON?= ${LIBCRONDIR}/libcron${PIE_SUFFIX}.a LIBNTPDIR= ${OBJTOP}/usr.sbin/ntp/libntp -LIBNTP?= ${LIBNTPDIR}/libntp.a +LIBNTP?= ${LIBNTPDIR}/libntp${PIE_SUFFIX}.a LIBNTPEVENTDIR= ${OBJTOP}/usr.sbin/ntp/libntpevent -LIBNTPEVENT?= ${LIBNTPEVENTDIR}/libntpevent.a +LIBNTPEVENT?= ${LIBNTPEVENTDIR}/libntpevent${PIE_SUFFIX}.a LIBOPTSDIR= ${OBJTOP}/usr.sbin/ntp/libopts -LIBOPTS?= ${LIBOPTSDIR}/libopts.a +LIBOPTS?= ${LIBOPTSDIR}/libopts${PIE_SUFFIX}.a LIBPARSEDIR= ${OBJTOP}/usr.sbin/ntp/libparse -LIBPARSE?= ${LIBPARSEDIR}/libparse.a +LIBPARSE?= ${LIBPARSEDIR}/libparse${PIE_SUFFIX}.a LIBLPRDIR= ${OBJTOP}/usr.sbin/lpr/common_source -LIBLPR?= ${LIBLPRDIR}/liblpr.a +LIBLPR?= ${LIBLPRDIR}/liblpr${PIE_SUFFIX}.a LIBFIFOLOGDIR= ${OBJTOP}/usr.sbin/fifolog/lib -LIBFIFOLOG?= ${LIBFIFOLOGDIR}/libfifolog.a +LIBFIFOLOG?= ${LIBFIFOLOGDIR}/libfifolog${PIE_SUFFIX}.a LIBBSNMPTOOLSDIR= ${OBJTOP}/usr.sbin/bsnmpd/tools/libbsnmptools -LIBBSNMPTOOLS?= ${LIBBSNMPTOOLSDIR}/libbsnmptools.a +LIBBSNMPTOOLS?= ${LIBBSNMPTOOLSDIR}/libbsnmptools${PIE_SUFFIX}.a LIBAMUDIR= ${OBJTOP}/usr.sbin/amd/libamu -LIBAMU?= ${LIBAMUDIR}/libamu.a +LIBAMU?= ${LIBAMUDIR}/libamu${PIE_SUFFIX}.a -LIBBE?= ${LIBBEDIR}/libbe.a +LIBBE?= ${LIBBEDIR}/libbe${PIE_SUFFIX}.a LIBPMCSTATDIR= ${OBJTOP}/lib/libpmcstat -LIBPMCSTAT?= ${LIBPMCSTATDIR}/libpmcstat.a +LIBPMCSTAT?= ${LIBPMCSTATDIR}/libpmcstat${PIE_SUFFIX}.a LIBC_NOSSP_PICDIR= ${OBJTOP}/lib/libc LIBC_NOSSP_PIC?= ${LIBC_NOSSP_PICDIR}/libc_nossp_pic.a Modified: head/stand/i386/Makefile.inc ============================================================================== --- head/stand/i386/Makefile.inc Fri Feb 15 21:50:45 2019 (r344178) +++ head/stand/i386/Makefile.inc Fri Feb 15 22:22:38 2019 (r344179) @@ -7,6 +7,7 @@ LOADER_ADDRESS?=0x200000 LDFLAGS+= -nostdlib LDFLAGS.lld+= -Wl,--no-rosegment +MK_PIE:= no # BTX components BTXDIR= ${BOOTOBJ}/i386/btx Added: head/tools/build/options/WITHOUT_PIE ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITHOUT_PIE Fri Feb 15 22:22:38 2019 (r344179) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Do not build dynamically linked binaries as +Position-Independent Executable (PIE). Added: head/tools/build/options/WITH_PIE ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITH_PIE Fri Feb 15 22:22:38 2019 (r344179) @@ -0,0 +1,3 @@ +.\" $FreeBSD$ +Build dynamically linked binaries as +Position-Independent Executable (PIE). Modified: head/usr.bin/clang/Makefile.inc ============================================================================== --- head/usr.bin/clang/Makefile.inc Fri Feb 15 21:50:45 2019 (r344178) +++ head/usr.bin/clang/Makefile.inc Fri Feb 15 22:22:38 2019 (r344179) @@ -4,6 +4,8 @@ WARNS?= 0 .include +MK_PIE:= no # Explicit libXXX.a references + .if ${COMPILER_TYPE} == "clang" DEBUG_FILES_CFLAGS= -gline-tables-only .else Modified: head/usr.bin/svn/Makefile.inc ============================================================================== --- head/usr.bin/svn/Makefile.inc Fri Feb 15 21:50:45 2019 (r344178) +++ head/usr.bin/svn/Makefile.inc Fri Feb 15 22:22:38 2019 (r344179) @@ -2,6 +2,8 @@ .include +MK_PIE:= no # Explicit libXXX.a references + .if ${MK_SVN} == "yes" SVNLITE?= .else