HBSD: Introducing SafeStack

Compile world with SafeStack from clang/llvm. Right now, only applications are compiled with SafeStack, not libraries. clang 3.9.0 does not support compiling shared libraries with SafeStack, though a patch has been proposed that would enable support. Note that with clang's current implementation of SafeStack, ASLR and W^X are prerequisites. SafeStack currently requires ASLR and W^X in order to be effective.
2026-06-09 08:43:19 -04:00 · 2016-11-26 14:48:42 -05:00 · 2016-11-26 14:48:42 -05:00 · 2588e256bd
commit 2588e256bd
parent 511f9c9af6
9 changed files with 33 additions and 3 deletions
--- a/Makefile.libcompat
+++ b/Makefile.libcompat
@ -106,6 +106,7 @@ LIBCOMPATWMAKEFLAGS+= CC="${XCC} ${LIBCOMPATCFLAGS}" \
 		-DNO_CPU_CFLAGS \
 		MK_CTF=no \
 		-DNO_LINT \
+		MK_SAFESTACK=no \
 		MK_TESTS=no
 LIBCOMPATWMAKE+=	${LIBCOMPATWMAKEENV} ${MAKE} ${LIBCOMPATWMAKEFLAGS} \
 			MK_MAN=no MK_HTML=no
--- a/share/mk/bsd.crunchgen.mk
+++ b/share/mk/bsd.crunchgen.mk
@ -110,6 +110,7 @@ CRUNCHGEN?= crunchgen
 CRUNCHENV+= MK_TESTS=no \
 	    UPDATE_DEPENDFILE=no \
 	    _RECURSING_CRUNCH=1
+CRUNCHENV+= MK_SAFESTACK=no
 .ORDER: ${OUTPUTS} objs
 ${OUTPUTS:[1]}: .META
 ${OUTPUTS:[2..-1]}: .NOMETA
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@ -72,9 +72,20 @@ NOPIE=yes
 CFLAGS+= -fPIC -fPIE
 CXXFLAGS+= -fPIC -fPIE
 LDFLAGS+= -pie
-.endif
-.endif
-.endif
+
+# Only toggle SafeStack for PIE binaries. SafeStack requires ASLR in
+# order to be effective.
+.if !defined(NOSAFESTACK)
+.if ${MK_SAFESTACK} != "no"
+CFLAGS+=	-fsanitize=safe-stack
+CXXFLAGS+=	-fsanitize=safe-stack
+LDFLAGS+=	-fsanitize=safe-stack
+.endif # ${MK_SAFESTACK} != "no"
+.endif # !defined(NOSAFESTACK)
+
+.endif # ${MK_PIE} != no
+.endif # !defined(NOPIE)
+.endif # defined(MK_PIE)

 .if defined(MK_RELRO)
 .if ${MK_RELRO} != "no"
--- a/share/mk/bsd.test.mk
+++ b/share/mk/bsd.test.mk
@ -10,6 +10,9 @@

 __<bsd.test.mk>__:

+# HBSDTODO: Research why compiling the tests fail with SafeStack.
+NOSAFESTACK=	yes
+
 # Third-party software (kyua, etc) prefix.
 LOCALBASE?=	/usr/local

--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@ -194,6 +194,7 @@ __DEFAULT_NO_OPTIONS = \
    OPENLDAP \
    REPRODUCIBLE_BUILD \
    RPCBIND_WARMSTART_SUPPORT \
+    SAFESTACK \
    SHARED_TOOLCHAIN \
    SORT_THREADS \
    SVN \
@ -287,6 +288,12 @@ __DEFAULT_YES_OPTIONS+=PIE
 __DEFAULT_NO_OPTIONS+=PIE
 .endif

+.if ${__T} == "amd64"
+__DEFAULT_YES_OPTIONS+=SAFESTACK
+.else
+__DEFAULT_NO_OPTIONS+=SAFESTACK
+.endif
+
 .include <bsd.mkopt.mk>

 #
--- a/sys/boot/Makefile.inc
+++ b/sys/boot/Makefile.inc
@ -22,3 +22,5 @@ CFLAGS.clang+=  -mfpu=none
 # when this test succeeds rather than require dd to be a bootstrap tool.
 DD_NOSTATUS!=(dd status=none count=0 2> /dev/null && echo status=none) || true
 DD=dd ${DD_NOSTATUS}
+
+NOSAFESTACK=	yes
--- a/tools/build/options/WITHOUT_SAFESTACK
+++ b/tools/build/options/WITHOUT_SAFESTACK
@ -0,0 +1 @@
+Set to compile world without SafeStack.
--- a/tools/build/options/WITH_SAFESTACK
+++ b/tools/build/options/WITH_SAFESTACK
@ -0,0 +1 @@
+Set to compile with SafeStack.
--- a/usr.sbin/sendmail/Makefile
+++ b/usr.sbin/sendmail/Makefile
@ -68,6 +68,9 @@ DPADD+=${SENDMAIL_DPADD}
 LDADD+=${SENDMAIL_LDADD}
 LDFLAGS+=${SENDMAIL_LDFLAGS}

+# HBSDTODO: Research why sendmail compilation fails with SafeStack.
+MK_SAFESTACK=	no
+
 sm_os.h: ${SENDMAIL_DIR}/include/sm/os/sm_os_freebsd.h .NOMETA
 	ln -sf ${.ALLSRC} ${.TARGET}