diff options
Diffstat (limited to 'Mk')
| -rw-r--r-- | Mk/Features/bind_now.mk | 5 | ||||
| -rw-r--r-- | Mk/Features/fortify.mk | 18 | ||||
| -rw-r--r-- | Mk/Features/pie.mk | 9 | ||||
| -rw-r--r-- | Mk/Features/relro.mk | 5 | ||||
| -rw-r--r-- | Mk/Features/ssp.mk | 8 | ||||
| -rw-r--r-- | Mk/Features/stack_autoinit.mk | 23 | ||||
| -rw-r--r-- | Mk/Features/zeroregs.mk | 28 | ||||
| -rw-r--r-- | Mk/Uses/kde.mk | 3 | ||||
| -rw-r--r-- | Mk/Uses/linux.mk | 6 | ||||
| -rw-r--r-- | Mk/Uses/python.mk | 2 | ||||
| -rw-r--r-- | Mk/bsd.default-versions.mk | 6 | ||||
| -rw-r--r-- | Mk/bsd.port.mk | 3 |
12 files changed, 106 insertions, 10 deletions
diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk index 99361c487265..5f4b6abf3718 100644 --- a/Mk/Features/bind_now.mk +++ b/Mk/Features/bind_now.mk @@ -1,4 +1,9 @@ # BIND_NOW Support +# +# When generating an executable or shared library, mark it to tell the dynamic +# linker to resolve all symbols when the program is started, or when the shared +# library is loaded by dlopen, instead of deferring function call resolution to +# the point when the function is first called. .if !defined(_BIND_NOW_MK_INCLUDED) _BIND_NOW_MK_INCLUDED= yes diff --git a/Mk/Features/fortify.mk b/Mk/Features/fortify.mk new file mode 100644 index 000000000000..2e43ca98242f --- /dev/null +++ b/Mk/Features/fortify.mk @@ -0,0 +1,18 @@ +# This enables mitigations of common memory safety issues, such as buffer +# overflows, by adding checks to functions like memcpy, strcpy, sprintf, +# and others when the compiler can determine the size of the destination +# buffer at compile time. +# +# Depends opon the FORTIFY_SOURCE implementation in the basesystem. + +.if !defined(_FORTIFY_MK_INCLUDED) +_FORTIFY_MK_INCLUDED= yes +FORTIFY_Include_MAINTAINER= netchild@FreeBSD.org + +. if !defined(FORTIFY_UNSAFE) +FORTIFY_SOURCE?=2 +FORTIFY_CFLAGS?= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE} +CFLAGS+= ${FORTIFY_CFLAGS} +CXXFLAGS+= ${FORTIFY_CFLAGS} +. endif +.endif diff --git a/Mk/Features/pie.mk b/Mk/Features/pie.mk index 06174b403c31..7ecefa9eb611 100644 --- a/Mk/Features/pie.mk +++ b/Mk/Features/pie.mk @@ -1,4 +1,13 @@ # PIE Support +# +# Produce a Position-Independent Executable (PIE) instead of a “normal” +# fixed‐address ELF. +# A PIE is an executable whose code sections are compiled and linked so that, +# at runtime, they can be loaded at any base address in memory. +# +# Because it can be loaded at unpredictable addresses, PIE enables full Address +# Space Layout Randomization (ASLR) for your main executable—making certain +# classes of memory‐corruption exploits much harder. .if !defined(_PIE_MK_INCLUDED) _PIE_MK_INCLUDED= yes diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk index 6ceb68d5d668..8074ce09edd7 100644 --- a/Mk/Features/relro.mk +++ b/Mk/Features/relro.mk @@ -1,4 +1,9 @@ # RELRO Support +# +# Tells the linker to emit RELocation Read-Only (RELRO) protection for certain +# sections of your ELF file. In short, it makes parts of the binary read-only +# after relocations have been applied at program startup, helping to prevent +# GOT- and PLT-based overwrite attacks. .if !defined(_RELRO_MK_INCLUDED) _RELRO_MK_INCLUDED= yes diff --git a/Mk/Features/ssp.mk b/Mk/Features/ssp.mk index 4213e6d668a6..631104da9f6c 100644 --- a/Mk/Features/ssp.mk +++ b/Mk/Features/ssp.mk @@ -1,4 +1,12 @@ # SSP Support +# +# The -fstack-protector-strong flag enables “stack smashing” protection on a +# wider set of functions than the default -fstack-protector, but without the +# full performance cost of -fstack-protector-all. Under the hood it inserts a +# small “canary” value on the stack just before the saved return address; at +# function exit it checks that the canary hasn’t been overwritten by a buffer +# overflow. If it has been clobbered, the runtime aborts the program rather +# than returning into corrupted code. .if !defined(_SSP_MK_INCLUDED) _SSP_MK_INCLUDED= yes diff --git a/Mk/Features/stack_autoinit.mk b/Mk/Features/stack_autoinit.mk new file mode 100644 index 000000000000..4d79416dbcce --- /dev/null +++ b/Mk/Features/stack_autoinit.mk @@ -0,0 +1,23 @@ +# The STACK_AUTOINIT feature mimics the corresponding FreeBSD basesystem feature. +# +# This enables a compiler specific option to automatically initialize +# local (automatic) variables to prevent the use of uninitialized memory. +# +# Variables that can be used: +# +# WITH_STACK_AUTOINIT Enable for all ports. +# WITH_STACK_AUTOINIT_PORTS Enable for specified category/port-name +# STACK_AUTOINIT_TYPE Valid options: zero (default), pattern, unitialized +# + +.if !defined(_STACK_AUTOINIT_MK_INCLUDED) +_STACK_AUTOINIT_MK_INCLUDED= yes +STACK_AUTOINIT_Include_MAINTAINER= netchild@FreeBSD.org + +STACK_AUTOINIT_TYPE?= zero + +. if !defined(STATIC_AUTOINIT_UNSAFE) +CFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE} +CXXFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE} +. endif +.endif diff --git a/Mk/Features/zeroregs.mk b/Mk/Features/zeroregs.mk new file mode 100644 index 000000000000..2e21b16c5c66 --- /dev/null +++ b/Mk/Features/zeroregs.mk @@ -0,0 +1,28 @@ +# Zero call-used registers at function return to increase program +# security by either mitigating Return-Oriented Programming (ROP) +# attacks or preventing information leakage through registers. +# This depends upon support from the compiler for a given architecture. +# +# Variables that can be used: +# +# WITH_ZEROREGS Enable for all ports. +# WITH_ZEROREGS_PORTS Enable for specified category/port-name +# ZEROREGS_TYPE See +# https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-zero_005fcall_005fused_005fregs-function-attribute +# for options +# Default: used +# + +.if !defined(_ZEROREGS_MK_INCLUDED) +_ZEROREGS_MK_INCLUDED= yes +ZEROREGS_Include_MAINTAINER= netchild@FreeBSD.org + +ZEROREGS_TYPE?= used + +#. if !defined(ZEROREGS_UNSAFE) && !empty(${ARCH:Mriscv*}) && \ +# !empty(${ARCH:Mpower*}) && !empty(${ARCH:Marmv7*}) +CFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE} +CXXFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE} +#. endif +.endif + diff --git a/Mk/Uses/kde.mk b/Mk/Uses/kde.mk index cdeb7ff7ed77..ba70acfacf22 100644 --- a/Mk/Uses/kde.mk +++ b/Mk/Uses/kde.mk @@ -99,7 +99,7 @@ KDE_FRAMEWORKS5_VERSION?= 5.116.0 KDE_FRAMEWORKS5_BRANCH?= stable # Current KDE Frameworks (Qt6 based). -KDE_FRAMEWORKS6_VERSION?= 6.13.0 +KDE_FRAMEWORKS6_VERSION?= 6.14.0 KDE_FRAMEWORKS6_BRANCH?= stable # Current KDE applications. Update _${PORTNAME}_PROJECT_VERSION for the following ports: @@ -223,6 +223,7 @@ MASTER_SITES?= KDE/${KDE_FRAMEWORKS_BRANCH}/frameworks/${KDE_FRAMEWORKS_VERSION . endif DIST_SUBDIR?= KDE/frameworks/${KDE_FRAMEWORKS_VERSION} . if ${_KDE_VERSION:M6} +DIST_SUBDIR= KDE/frameworks/${KDE_FRAMEWORKS_VERSION:R} DESCR= ${.CURDIR:H:H}/x11/kf6-frameworks/pkg-descr . endif . else diff --git a/Mk/Uses/linux.mk b/Mk/Uses/linux.mk index bf62f887899a..dae71fc94289 100644 --- a/Mk/Uses/linux.mk +++ b/Mk/Uses/linux.mk @@ -189,11 +189,7 @@ _linux_rl9_qtxmlpatterns= linux-rl9-qt5-qtxmlpatterns>0:textproc/linux-rl9-qt5- _linux_${linux_ARGS}_sdl12= linux-${linux_ARGS}-sdl>0:devel/linux-${linux_ARGS}-sdl12 _linux_${linux_ARGS}_sdl12-extralibs= linux-${linux_ARGS}-sdl12-extralibs>0:misc/linux-${linux_ARGS}-sdl12-extralibs _linux_${linux_ARGS}_sdl20= linux-${linux_ARGS}-sdl20>0:devel/linux-${linux_ARGS}-sdl20 -_linux_${linux_ARGS}_sdl2gfx= linux-${linux_ARGS}-sdl2_gfx>0:graphics/linux-${linux_ARGS}-sdl2_gfx -_linux_${linux_ARGS}_sdl2image= linux-${linux_ARGS}-sdl2_image>0:graphics/linux-${linux_ARGS}-sdl2_image -_linux_${linux_ARGS}_sdl2mixer= linux-${linux_ARGS}-sdl2_mixer>0:audio/linux-${linux_ARGS}-sdl2_mixer -_linux_${linux_ARGS}_sdl2ttf= linux-${linux_ARGS}-sdl2_ttf>0:graphics/linux-${linux_ARGS}-sdl2_ttf -_linux_${linux_ARGS}_sdl2sound= linux-${linux_ARGS}-sdl2_sound>0:audio/linux-${linux_ARGS}-sdl2_sound +_linux_${linux_ARGS}_sdl20-extralibs= linux-${linux_ARGS}-sdl20-extralibs>0:misc/linux-${linux_ARGS}-sdl20-extralibs _linux_rl9_shaderc= linux-rl9-shaderc>0:graphics/linux-rl9-shaderc _linux_rl9_spirv-tools= linux-rl9-spirv-tools>0:graphics/linux-rl9-spirv-tools _linux_${linux_ARGS}_sqlite3= linux-${linux_ARGS}-sqlite>0:databases/linux-${linux_ARGS}-sqlite3 diff --git a/Mk/Uses/python.mk b/Mk/Uses/python.mk index a26f984e3c11..aba9c48df38c 100644 --- a/Mk/Uses/python.mk +++ b/Mk/Uses/python.mk @@ -319,6 +319,8 @@ .if !defined(_INCLUDE_USES_PYTHON_MK) _INCLUDE_USES_PYTHON_MK= yes +ZEROREGS_UNSAFE= yes + # What Python version and what Python interpreters are currently supported? # When adding a version, please keep the comment in # Mk/bsd.default-versions.mk in sync. diff --git a/Mk/bsd.default-versions.mk b/Mk/bsd.default-versions.mk index 50d8a4ef789c..8fa74cfc77dd 100644 --- a/Mk/bsd.default-versions.mk +++ b/Mk/bsd.default-versions.mk @@ -64,7 +64,7 @@ GHOSTSCRIPT_DEFAULT?= 10 # Possible values: mesa-libs, mesa-devel GL_DEFAULT?= mesa-libs # Possible values: 1.20, 1.21, 1.22, 1.23, 1.24, 1.25-devel -GO_DEFAULT?= 1.21 +GO_DEFAULT?= 1.24 # Possible values: 1.8, 2.2, 3.0 GUILE_DEFAULT?= 2.2 # Possible versions: 6, 7 @@ -75,11 +75,11 @@ GUILE_DEFAULT?= 2.2 IMAGEMAGICK_DEFAULT?= 7 # Possible values: 8, 11, 17, 18, 19, 20, 21, 22, 23, 24 JAVA_DEFAULT?= 8 -# Possible values: 3.8.0, 4.99 +# Possible values: 4.0, 4.99 . if (defined(WANT_LAZARUS_DEVEL) && !empty(WANT_LAZARUS_DEVEL)) || ${ARCH:Maarch64} LAZARUS_DEFAULT?= 4.99 . else -LAZARUS_DEFAULT?= 3.8.0 +LAZARUS_DEFAULT?= 4.0 . endif # Possible values: rust, legacy . if empty(ARCH:Naarch64:Namd64:Narmv7:Ni386:Npowerpc64:Npowerpc64le:Npowerpc:Nriscv64) diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk index 4596b773b6d3..1df8af1fd63b 100644 --- a/Mk/bsd.port.mk +++ b/Mk/bsd.port.mk @@ -1000,7 +1000,8 @@ LC_ALL= C # These need to be absolute since we don't know how deep in the ports # tree we are and thus can't go relative. They can, of course, be overridden # by individual Makefiles or local system make configuration. -_LIST_OF_WITH_FEATURES= bind_now debug debuginfo lto pie relro sanitize ssp testing +_LIST_OF_WITH_FEATURES= bind_now debug debuginfo fortify lto pie relro \ + sanitize ssp stack_autoinit testing zeroregs _DEFAULT_WITH_FEATURES= ssp PORTSDIR?= /usr/ports LOCALBASE?= /usr/local |