diff options
| author | Matthias Andree <mandree@FreeBSD.org> | 2025-09-16 11:30:55 +0200 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2025-09-16 11:51:44 +0200 |
| commit | 421cd1ecf286ff832c18d9c77e220fdad6f8bfb7 (patch) | |
| tree | 676fa0cc92288434bdc83da4a526adf48f346dde | |
| parent | x11/gnome-shell: update to 47.10 (diff) | |
dns/dnsmasq: harden build
MFH: 2025Q3
| -rw-r--r-- | dns/dnsmasq/Makefile | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile index 027ec8c2b4a2..2c34b08f2547 100644 --- a/dns/dnsmasq/Makefile +++ b/dns/dnsmasq/Makefile @@ -1,7 +1,7 @@ PORTNAME= dnsmasq DISTVERSION= 2.91 # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= dns MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/ \ @@ -13,7 +13,7 @@ WWW= https://www.thekelleys.org.uk/dnsmasq/doc.html LICENSE= GPLv2 -USES= cpe shebangfix tar:xz +USES= compiler cpe shebangfix tar:xz CPE_VENDOR= thekelleys SHEBANG_FILES= contrib/dnslist/dnslist.pl \ @@ -25,8 +25,27 @@ MAKE_ARGS= CC="${CC}" \ LIBS="${LDFLAGS}" \ PREFIX="${PREFIX}" \ RPM_OPT_FLAGS="${CPPFLAGS}" -CFLAGS+= -Wall -Wno-unused-function -Wno-unused-parameter \ - -Wno-unused-value -Wno-unused-variable +CFLAGS+= -Wall +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +# Note there are ${ARCH}-dependent options below after .include <bsd.port.pre.mk> +CFLAGS+= -O2 -Wall -Wformat -Wformat=2 \ + -Werror=format-security \ + -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ + -fstrict-flex-arrays=3 \ + -fstack-clash-protection -fstack-protector-strong \ + -fno-delete-null-pointer-checks -fno-strict-overflow \ + -fno-strict-aliasing -ftrivial-auto-var-init=zero +LDFLAGS+= -Wl,-z,nodlopen -Wl,-z,noexecstack \ + -Wl,-z,relro -Wl,-z,now \ + -Wl,--as-needed -Wl,--no-copy-dt-needed-entries +CFLAGS+= -fPIE +LDFLAGS+= -pie +# error on obsolete C constructs +CFLAGS+= -Werror=implicit -Werror=incompatible-pointer-types \ + -Werror=int-conversion +# tune down harmless warnings due to coding style +CFLAGS+= -Wno-unused-function -Wno-unused-parameter \ + -Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral CPPFLAGS+= -I${LOCALBASE}/include CONFLICTS_INSTALL= dnsmasq-devel @@ -97,6 +116,17 @@ USE_RC_SUBR= dnsmasq .include <bsd.port.pre.mk> +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +.if ${ARCH} == "amd64" +CFLAGS+= -fcf-protection=full +.endif +.if ${ARCH} == "aarch64" +CFLAGS+= -mbranch-protection=standard +.endif +.if ${CHOSEN_COMPILER_TYPE} == "gcc" +CFLAGS+= -Wtrampolines +.endif + LDFLAGS+= -L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB} post-patch: |