diff --git a/Makefile.libcompat b/Makefile.libcompat index 0764c41a19b..a258bd1ba9d 100644 --- a/Makefile.libcompat +++ b/Makefile.libcompat @@ -106,6 +106,7 @@ LIBCOMPATWMAKEFLAGS+= CC="${XCC} ${LIBCOMPATCFLAGS}" \ -DNO_CPU_CFLAGS \ MK_CTF=no \ -DNO_LINT \ + MK_SAFESTACK=no \ MK_TESTS=no LIBCOMPATWMAKE+= ${LIBCOMPATWMAKEENV} ${MAKE} ${LIBCOMPATWMAKEFLAGS} \ MK_MAN=no MK_HTML=no diff --git a/share/mk/bsd.crunchgen.mk b/share/mk/bsd.crunchgen.mk index 11c07bc317d..d69210b4cb8 100644 --- a/share/mk/bsd.crunchgen.mk +++ b/share/mk/bsd.crunchgen.mk @@ -110,6 +110,7 @@ CRUNCHGEN?= crunchgen CRUNCHENV+= MK_TESTS=no \ UPDATE_DEPENDFILE=no \ _RECURSING_CRUNCH=1 +CRUNCHENV+= MK_SAFESTACK=no .ORDER: ${OUTPUTS} objs ${OUTPUTS:[1]}: .META ${OUTPUTS:[2..-1]}: .NOMETA diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index b5b63ae99f2..1aee1ccd89e 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -72,9 +72,20 @@ NOPIE=yes CFLAGS+= -fPIC -fPIE CXXFLAGS+= -fPIC -fPIE LDFLAGS+= -pie -.endif -.endif -.endif + +# Only toggle SafeStack for PIE binaries. SafeStack requires ASLR in +# order to be effective. +.if !defined(NOSAFESTACK) +.if ${MK_SAFESTACK} != "no" +CFLAGS+= -fsanitize=safe-stack +CXXFLAGS+= -fsanitize=safe-stack +LDFLAGS+= -fsanitize=safe-stack +.endif # ${MK_SAFESTACK} != "no" +.endif # !defined(NOSAFESTACK) + +.endif # ${MK_PIE} != no +.endif # !defined(NOPIE) +.endif # defined(MK_PIE) .if defined(MK_RELRO) .if ${MK_RELRO} != "no" diff --git a/share/mk/bsd.test.mk b/share/mk/bsd.test.mk index 0bef160312b..7f350da9fff 100644 --- a/share/mk/bsd.test.mk +++ b/share/mk/bsd.test.mk @@ -10,6 +10,9 @@ ____: +# HBSDTODO: Research why compiling the tests fail with SafeStack. +NOSAFESTACK= yes + # Third-party software (kyua, etc) prefix. LOCALBASE?= /usr/local diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 8bb2a927be9..5af9fc48c1a 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -194,6 +194,7 @@ __DEFAULT_NO_OPTIONS = \ OPENLDAP \ REPRODUCIBLE_BUILD \ RPCBIND_WARMSTART_SUPPORT \ + SAFESTACK \ SHARED_TOOLCHAIN \ SORT_THREADS \ SVN \ @@ -287,6 +288,12 @@ __DEFAULT_YES_OPTIONS+=PIE __DEFAULT_NO_OPTIONS+=PIE .endif +.if ${__T} == "amd64" +__DEFAULT_YES_OPTIONS+=SAFESTACK +.else +__DEFAULT_NO_OPTIONS+=SAFESTACK +.endif + .include # diff --git a/sys/boot/Makefile.inc b/sys/boot/Makefile.inc index 1f1ccc29232..68517adf697 100644 --- a/sys/boot/Makefile.inc +++ b/sys/boot/Makefile.inc @@ -22,3 +22,5 @@ CFLAGS.clang+= -mfpu=none # when this test succeeds rather than require dd to be a bootstrap tool. DD_NOSTATUS!=(dd status=none count=0 2> /dev/null && echo status=none) || true DD=dd ${DD_NOSTATUS} + +NOSAFESTACK= yes diff --git a/tools/build/options/WITHOUT_SAFESTACK b/tools/build/options/WITHOUT_SAFESTACK new file mode 100644 index 00000000000..2375210748d --- /dev/null +++ b/tools/build/options/WITHOUT_SAFESTACK @@ -0,0 +1 @@ +Set to compile world without SafeStack. diff --git a/tools/build/options/WITH_SAFESTACK b/tools/build/options/WITH_SAFESTACK new file mode 100644 index 00000000000..bf239e2fb2a --- /dev/null +++ b/tools/build/options/WITH_SAFESTACK @@ -0,0 +1 @@ +Set to compile with SafeStack. diff --git a/usr.sbin/sendmail/Makefile b/usr.sbin/sendmail/Makefile index 37129f6c6d6..ad106f61e53 100644 --- a/usr.sbin/sendmail/Makefile +++ b/usr.sbin/sendmail/Makefile @@ -68,6 +68,9 @@ DPADD+=${SENDMAIL_DPADD} LDADD+=${SENDMAIL_LDADD} LDFLAGS+=${SENDMAIL_LDFLAGS} +# HBSDTODO: Research why sendmail compilation fails with SafeStack. +MK_SAFESTACK= no + sm_os.h: ${SENDMAIL_DIR}/include/sm/os/sm_os_freebsd.h .NOMETA ln -sf ${.ALLSRC} ${.TARGET}