Date: Wed, 25 Apr 2012 14:30:33 -0500 From: Bryan Drewery <bryan@shatow.net> To: freebsd-hackers@freebsd.org, jeremie@le-hen.org Subject: Re: compiling ports with SSP Message-ID: <4F9850D9.90300@shatow.net> In-Reply-To: <20120315223454.GA30360@felucia.tataz.chchile.org> References: <4F4AFB53.8020503@shatow.net> <20120315223454.GA30360@felucia.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5FC8CB90B84D717CF4A1571C Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 03/15/2012 05:34 PM, Jeremie Le Hen wrote: > Hi Bryan >=20 > On Sun, Feb 26, 2012 at 09:41:07PM -0600, Bryan Drewery wrote: >> >> Thanks for this patch [1]! >> >> I've been building my ports tree with -fstack-protector on FreeBSD 6, = 7 >> and 8. Once I upgraded to 8, I started running into the issue [2] this= >> patch is fixing. >> >> I have a situation where non-ports applications are compiling >> statically, which ran into this. Specifically, the application is >> linking in security/openssl statically, which of course was compiled >> with -fstack-protector. Adding the /usr/lib/libc.ld fixed it without >> needing to hack at the failing non-port application. >> >> Would be nice if this, and PR 138228 were finally committed. >> >> Bryan Drewery >> >> [1] http://lists.freebsd.org/pipermail/freebsd-hackers/2011-June/03553= 8.html >> [2] http://gcc.gnu.org/ml/gcc-help/2006-05/msg00092.html >=20 > Wow, the perspective provided by those two posts makes me dizzy. This > has been a very long standing project. The base system is now compiled= > with SSP, but doing so for ports still requires some manual hacking > unfortenately. I've proposed a patch to compile ports with SSP a few > years ago, but some ports with special building strategy suffered the > problem described in [2]. Then I learned the possibilities of ld > scripts and provided the patch in [1] last year. >=20 > I think we have all the bits necessary to be able to compile ports with= > SSP painlessly. >=20 > First the patch in [1] has to be committed in the base system. I think= > this can be done in CURRENT without any problem, I run it myself on my > own servers without problem. Unfortunately it will probably never appe= ar > in RELENG_9 because it may be deemed too dangerous to make such a chang= e > in a stable branch. It would be nice to hear what kib@ and kan@ think > about this. >=20 > Next, the patch to bsd.port.mk in this PR [3] has to be applied to be > able to compile ports with SSP using a single knob. (Other patches > along this one can be thrown away, they were required hacks back when > the libc ld script didn't exist.) Then portmgr@ will naturally want to= > make a full port build with this knob turned on to check, but last time= > I was told they had very few resource and that this couldn't be > scheduled in the next couple of week, IIRC. >=20 > I admit the situation is partly my fault, because I did the fun > technical work but I didn't keep up with the "lobbying" part :). > I asked once or twice, without success, and then went to other subjects= =2E >=20 > I would be really glad if we could proceed with this. FreeBSD-9.0 has > just been release, this is probably a good time to step forward. >=20 > [3] http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dports/138228 >=20 > Cheers, Something to keep an eye on is that some ports may run `file /usr/lib/libc.so` and find that it is an ASCII text file. As I've mentioned, I've been running with SSP in my ports for at least a year now, and with this ld script for several months. The only issue I've ran into is the security/openssl port is looking at /usr/lib/libc.so to see if it is ELF or not, and due to this is falling back on a.out binary format and then generating incorrect ASM. I think this is going to be a pretty rare and specific case though. Regards, Bryan Drewery --------------enig5FC8CB90B84D717CF4A1571C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPmFDaAAoJEG54KsA8mwz5KhUP/i0e1poEEjIgDGfjiG2+y+K0 UTmM8iiExYIuGEGRIKpQpylVSUT1LvRLet2Dww9jzZn9C2CB1Ke6Vb+h8ifK38yB LdMcnXMXZdBC5sWpG4KM2vzsUmXESoeoc9h0KFodkzRwa307vBY8DHQ0y/2mOn3v azVE2d0yVu9pUsXe1ZtjxV8uV9q7juxkmHr+IRG585KPy1iDNp5GpCDgu4LHP8sh TWfWzFgtE1hm8MJ7brlMumirTWHL+QLBqkKFiAZr9cnoLqoJ3kq4MKFiOa1iBMno /0PhXerdiMBLgaHFBOgiv3CrlMqIz15XJj651nlNIBevRDRxR/dCMaC5jsWK0RHz rWvpXQ7JMw0hxtsNVPfZTsfffQBcrI055klxRvaTk0fgEzl7XB55w80NIw7MBH3W XrDv53pnldwXOE30/2mylDdg1ygNLepP5/bA57PWlu2G4Fj1fK8P9/m8fvNmDoNm i/5ytCvgXcxxFp2aQQEyvFWb5tIkSOCySUygg0IGCaX0AQoIZaT970h4znKYr2G4 +48PJmgzWTSE3+E9YhMdLmBxWQ46DOWzI6bc4twvK8RiWxORizUGPSwrrX4ewpmD 8pSXxOUhEmltOY2WY8ThyWXL/dVsv5KwUiYosFBUeUBYMKDGT3iEDUsrdvZmx80o G09RKuWtrhkNwmTxBD1g =xglu -----END PGP SIGNATURE----- --------------enig5FC8CB90B84D717CF4A1571C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F9850D9.90300>