From 9327f3f3051e95c3f5b6ee708958eceea65cd7ea Mon Sep 17 00:00:00 2001 From: Shawn Webb Date: Wed, 27 Jul 2016 00:51:27 -0400 Subject: [PATCH] HBSD: Introduce PIE support for OPNsense. This is a direct port of HardenedBSD's hardened/10-stable/master's Position-Independent Executable (PIE) support. This code is only applicable to base and does not get applied to ports. The only change made was to enable PIE for amd64 and i386 by default. All other architectures have it disabled (due to lack of hardware with which to test). Signed-off-by: Shawn Webb --- lib/csu/i386-elf/Makefile | 1 + lib/libc/Makefile | 1 + lib/libc/tests/tls/Makefile | 1 + libexec/rtld-elf/Makefile | 2 ++ share/mk/bsd.lib.mk | 10 ++++++++++ share/mk/bsd.own.mk | 8 +++++++- share/mk/bsd.prog.mk | 14 ++++++++++++++ sys/boot/i386/Makefile.inc | 1 + 8 files changed, 37 insertions(+), 1 deletion(-) diff --git a/lib/csu/i386-elf/Makefile b/lib/csu/i386-elf/Makefile index f26db153631..f670c9ebf4e 100644 --- a/lib/csu/i386-elf/Makefile +++ b/lib/csu/i386-elf/Makefile @@ -48,4 +48,5 @@ Scrt1.o: Scrt1_c.o crt1_s.o ${LD} ${LDFLAGS} -o Scrt1.o -r crt1_s.o Scrt1_c.o ${OBJCOPY} --localize-symbol _start1 Scrt1.o +NOPIE= yes .include diff --git a/lib/libc/Makefile b/lib/libc/Makefile index 5a2995ec82b..fd5a8647e88 100644 --- a/lib/libc/Makefile +++ b/lib/libc/Makefile @@ -164,6 +164,7 @@ CFLAGS+=-DSYSCALL_COMPAT SUBDIR+= tests .endif +NOPIE= yes .include # Disable warnings in contributed sources. diff --git a/lib/libc/tests/tls/Makefile b/lib/libc/tests/tls/Makefile index e2248959ab1..79d713e1dee 100644 --- a/lib/libc/tests/tls/Makefile +++ b/lib/libc/tests/tls/Makefile @@ -32,4 +32,5 @@ DPADD.tls_dlopen_test+= ${LIBPTHREAD} LDADD.tls_dlopen_test+= -lpthread LDFLAGS.tls_dlopen_test+= -Wl,-rpath,${TESTSDIR} -Wl,-export-dynamic +NOPIE= yes .include diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile index a6ab013c378..34d0bf4b90c 100644 --- a/libexec/rtld-elf/Makefile +++ b/libexec/rtld-elf/Makefile @@ -84,5 +84,7 @@ beforeinstall: .PATH: ${.CURDIR}/${RTLD_ARCH} +NOPIE= yes + .include .include diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index 8f426f46456..37e8b0d8d97 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -71,6 +71,16 @@ PICFLAG=-fpic .endif .endif +.if defined(MK_PIE) +.if !defined(NO_PIC) +.if !defined(NOPIE) +.if ${MK_PIE} != "no" +CFLAGS+= ${PICFLAG} +.endif +.endif +.endif +.endif + PO_FLAG=-pg .c.o: diff --git a/share/mk/bsd.own.mk b/share/mk/bsd.own.mk index 23ffa246556..415df033b8c 100644 --- a/share/mk/bsd.own.mk +++ b/share/mk/bsd.own.mk @@ -371,6 +371,7 @@ __DEFAULT_YES_OPTIONS = \ SENDMAIL \ SETUID_LOGIN \ SHAREDOCS \ + SHARED_TOOLCHAIN \ SOURCELESS \ SOURCELESS_HOST \ SOURCELESS_UCODE \ @@ -406,7 +407,6 @@ __DEFAULT_NO_OPTIONS = \ NAND \ OFED \ PKGTOOLS \ - SHARED_TOOLCHAIN \ SVN \ TESTS \ USB_GADGET_EXAMPLES @@ -474,6 +474,12 @@ __DEFAULT_YES_OPTIONS+=HYPERV .else __DEFAULT_NO_OPTIONS+=HYPERV .endif +# PIE is only available for amd64 and i386. +.if ${__T} == "amd64" || ${__T} == "i386" +__DEFAULT_YES_OPTIONS+=PIE +.else +__DEFAULT_NO_OPTIONS+=PIE +.endif .undef __T # diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index bc8bffd4764..0ec78921b68 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -54,6 +54,20 @@ LDFLAGS+= -static LDFLAGS+= -L${_SHLIBDIRPREFIX}${LIBPRIVATEDIR} -rpath ${LIBPRIVATEDIR} .endif +.if defined(MK_PIE) +.if ${LDFLAGS:M-static} +NOPIE=yes +.endif + +.if !defined(NOPIE) +.if ${MK_PIE} != "no" +CFLAGS+= -fPIE +CXXFLAGS+= -fPIE +LDFLAGS+= -pie +.endif +.endif +.endif + .if ${MK_DEBUG_FILES} != "no" PROG_FULL=${PROG}.full # Use ${DEBUGDIR} for base system debug files, else .debug subdirectory diff --git a/sys/boot/i386/Makefile.inc b/sys/boot/i386/Makefile.inc index 0378683f0ff..91e1705adf0 100644 --- a/sys/boot/i386/Makefile.inc +++ b/sys/boot/i386/Makefile.inc @@ -28,4 +28,5 @@ BTXLDR= ${BTXDIR}/btxldr/btxldr BTXKERN= ${BTXDIR}/btx/btx BTXCRT= ${BTXDIR}/lib/crt0.o +NOPIE= yes .include "../Makefile.inc"