Date: Mon, 31 Aug 2015 13:34:06 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: freebsd-ports@FreeBSD.org Cc: Oliver Pinter <oliver.pinter@hardenedbsd.org> Subject: [CFdiscussion] ports and FORTIFY_SOURCE Message-ID: <55E49E1E.2080005@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Dear ports developers; This year I mentored Oliver Pinter's GSoC project [1] to port FORTIFY_SOURCE to FreeBSD. The project was more complex than we thought initially but it was successful. For those of you that haven't heard of it, it's a trick supported by libc to enable bounds-checking on common string and memory functions. The code has gone through extensive testing with both clang and the base gcc. It should work fine with newer gcc but it is untested there. To activate it you will just need to add -D_FORTIFY_SOURCE=1 (or 2) in the CFLAGS and that will transparently add the extra checks. The code is non invasive but some ports (firefox, emacs) actually choose to run with this flag on by default and an exp-run found some errors in those cases. There are currently two remaining PRs with patches for mail/ifile (202572) and net-p2p/namecoin (2012603), getting those committed soon would avoid traumas in the ports tree once FORTIFY_SOURCE is committed. In the future it would be nice to support a flag within ports to enable or disable this extra flag for specific ports. I am unsure exactly how to do it, it could be something as simple as USE_FORTIFY= yes or as complex as USES= compiler:fortify=0 (0 disables it, 1 is standard for clang. 2 is standard for gcc) I plan to bring this code to FreeBSD-11 only. I am unsure exactly when the code will be brought in though. At this time, I am just giving more time for reviewers [2] but I thought I'd give some more space for feedback from the ports as well since they will see the greatest benefits from this framework. Regards, Pedro. [1] https://wiki.freebsd.org/SummerOfCode2015/FreeBSDLibcSecurityExtensions [2] https://reviews.freebsd.org/D3459
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55E49E1E.2080005>