# HG changeset patch # User Enrico Perla # Date 1478262770 25200 # Node ID 934578b959f006243d01b0c2f158ea4092e3a0a5 # Parent 0d8fd6bb915fc23237c16795d6b26e86a8718a63 20029192 Userland should build with ld -z sx=nx* flags instead of map.noexstk 23118364 Enable ADIHEAP on security sensitive binaries 23118359 Build openssh as PIE diff -r 0d8fd6bb915f -r 934578b959f0 components/apache24/Makefile --- a/components/apache24/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/apache24/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -48,6 +48,10 @@ # to build modules. LDFLAGS += $(CC_BITS) +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + PATCH_LEVEL=0 # We will build two separate mod_ssl versions. diff -r 0d8fd6bb915f -r 934578b959f0 components/bind/Makefile --- a/components/bind/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/bind/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -97,6 +97,10 @@ # Uncomment to display summary of tests at completion. # COMPONENT_POST_TEST_ACTION = $(NAWK) $(summarize) $(COMPONENT_TEST_OUTPUT) +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + .PHONY: test-named-version test-summary test-clean # summarize is a nawk script: # consumes the output generated by ISC's make target and provides an diff -r 0d8fd6bb915f -r 934578b959f0 components/bzip2/Makefile --- a/components/bzip2/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/bzip2/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -45,6 +45,10 @@ # we need to enable large file support and build PIC for our shared libraries CFLAGS += $(CPP_LARGEFILES) $(CC_PIC) +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + COMPONENT_BUILD_ENV += CC="$(CC)" COMPONENT_BUILD_ARGS += CC="$(CC)" COMPONENT_BUILD_ARGS += CFLAGS="$(CFLAGS)" diff -r 0d8fd6bb915f -r 934578b959f0 components/cmake/Makefile --- a/components/cmake/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/cmake/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -64,6 +64,11 @@ # when testing on sparc LD_MAP_NOEXBSS.sparc= +# map.noexbss has the side effect of making the heap non executable. +# Reflect the setting above explicitly disabling NXHEAP. +NXHEAP_MODE = $(NXHEAP_DISABLE) + + # We need these in the environment, although they are already passed # as CONFIGURE_OPTIONS; otherwise the correct compilers are not used CONFIGURE_ENV += MAKE="$(GMAKE)" diff -r 0d8fd6bb915f -r 934578b959f0 components/curl/Makefile --- a/components/curl/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/curl/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -44,6 +44,10 @@ CPPFLAGS += `pkg-config --cflags libidn` CPPFLAGS += "-I/usr/include/openldap" +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + CONFIGURE_OPTIONS += --localstatedir=$(VARDIR) --enable-shared --disable-static CONFIGURE_OPTIONS += --enable-http --enable-ftp CONFIGURE_OPTIONS += --enable-file --enable-dict diff -r 0d8fd6bb915f -r 934578b959f0 components/cvs/Makefile --- a/components/cvs/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/cvs/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -41,6 +41,10 @@ CFLAGS += -D__ATTRIBUTE_DISABLED CONFIGURE_OPTIONS += --with-external-zlib +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # need gnu grep COMPONENT_TEST_ENV += PATH=$(GNUBIN):$(PATH) # "check" is not working yet. It's asking for a password. diff -r 0d8fd6bb915f -r 934578b959f0 components/emacs/Makefile --- a/components/emacs/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/emacs/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -66,7 +66,6 @@ # LD_OPTIONS is defined to apply desirable link-editor options to Userland # components. Non-executable stack and data break sparc emacs. # -LD_MAP_NOEXSTK.sparc= LD_MAP_NOEXDATA.sparc= # Uncomment this for debugging only. It configures emacs to run from the @@ -112,17 +111,12 @@ # emacs is not network facing, or run with elevated privileges, this is # not a security concern. # -# As with ASLR, ADIHEAP should be explicitly disabled for emacs, as the -# dumped emacs cannot work with ADI. Recognizing that ASLR_MODE could really -# be SX_MODE, and generalized to handle all the sxadm extensions, redefine -# it here to handle both cases. It is expected that in due course, the -# Userland framework will evolve in this direction. -# -ifeq ($(OS_VERSION), 5.11) +# Similarly, emacs cannot cope with a non-executable stack and with a protected +# and non-executable heap. ASLR_MODE = $(ASLR_DISABLE) -else -ASLR_MODE = -z sx=aslr=disable,adiheap=disable -endif +NXHEAP_MODE = $(NXHEAP_DISABLE) +NXSTACK_MODE = $(NXSTACK_DISABLE) +ADIHEAP_MODE = $(ADIHEAP_DISABLE) # variant specific configure options $(BUILD_DIR)/%-nox/.configured: CONFIGURE_OPTIONS += --without-all --without-x diff -r 0d8fd6bb915f -r 934578b959f0 components/fetchmail/Makefile --- a/components/fetchmail/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/fetchmail/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -35,6 +35,10 @@ TPNO= 29615 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + include $(WS_MAKE_RULES)/common.mk CONFIGURE_OPTIONS += PYTHON="$(PYTHON.2.7.32)" diff -r 0d8fd6bb915f -r 934578b959f0 components/gcc4/Makefile --- a/components/gcc4/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/gcc4/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -71,6 +71,15 @@ # /usr/lib/ld/map.noexbss destroys SPARC LD_MAP_NOEXBSS.sparc= +# Mapfiles map.noexdata and map.noexbss mark the data + bss and bss +# segments non executable on x86 and SPARC respectively. The protection +# extends to the heap segment, if the heap is brk based, as is the case +# with gcc. Since the introduction of NXHEAP, this is controlled +# separately by the NXHEAP extension itself. Whether the heap should be +# executable or not should be reevaluated. For now, try to avoid +# "destruction" as hinted above. +NXHEAP_MODE = $(NXHEAP_DISABLE) + # for some reason the fixincludes target fails with bash on Solaris. CONFIG_SHELL = /bin/sh MAKESHELL = /bin/sh diff -r 0d8fd6bb915f -r 934578b959f0 components/gcc5/Makefile --- a/components/gcc5/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/gcc5/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -68,6 +68,15 @@ # /usr/lib/ld/map.noexbss destroys SPARC LD_MAP_NOEXBSS.sparc= +# Mapfiles map.noexdata and map.noexbss mark the data + bss and bss +# segments non executable on x86 and SPARC respectively. The protection +# extends to the heap segment, if the heap is brk based, as is the case +# with gcc. Since the introduction of NXHEAP, this is controlled +# separately by the NXHEAP extension itself. Whether the heap should be +# executable or not should be reevaluated. For now, try to avoid +# "destruction" as hinted above. +NXHEAP_MODE = $(NXHEAP_DISABLE) + # for some reason the fixincludes target fails with bash on Solaris. CONFIG_SHELL = /bin/sh MAKESHELL = /bin/sh diff -r 0d8fd6bb915f -r 934578b959f0 components/gzip/Makefile --- a/components/gzip/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/gzip/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -32,6 +32,10 @@ TPNO= 28039 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + INSTALL_TARGET= SYSTEM_TEST_TARGET= configure $(SYSTEM_TEST_64) include $(WS_MAKE_RULES)/gnu-component.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/imagemagick/Makefile --- a/components/imagemagick/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/imagemagick/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -40,6 +40,11 @@ TPNO= 29915 +# Enable adiheap security extension. +# adistack fails with libgcc exception unwinding code. +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_DISABLE) + include $(WS_MAKE_RULES)/common.mk PATH=$(SPRO_VROOT)/bin:$(USRBINDIR):$(GNUBIN) diff -r 0d8fd6bb915f -r 934578b959f0 components/isc-dhcp/Makefile --- a/components/isc-dhcp/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/isc-dhcp/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -49,6 +49,10 @@ COMPONENT_PRE_CONFIGURE_ACTION = \ ($(CLONEY) $(SOURCE_DIR) $(@D)) +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # Some patches need configure script re-creation. COMPONENT_PREP_ACTION +=(cd $(@D); autoreconf -vfi); diff -r 0d8fd6bb915f -r 934578b959f0 components/mutt/Makefile --- a/components/mutt/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/mutt/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -34,6 +34,10 @@ TPNO= 29951 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + TEST_TARGET= $(NO_TESTS) include $(WS_MAKE_RULES)/common.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/ncftp/Makefile --- a/components/ncftp/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/ncftp/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -36,6 +36,10 @@ TPNO= 24893 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + TEST_TARGET= $(NO_TESTS) include $(WS_MAKE_RULES)/common.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/openldap/Makefile --- a/components/openldap/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/openldap/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -113,6 +113,10 @@ COMPONENT_BUILD_ENV += LTCFLAGS="-m$(BITS)" COMPONENT_INSTALL_ENV += LD_UNSET="$(LD_UNSET)" +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # special targets due to dependency on cyrus-sasl ../cyrus-sasl/build/%/.installed: (cd ../cyrus-sasl && $(GMAKE) install) diff -r 0d8fd6bb915f -r 934578b959f0 components/openscap/Makefile --- a/components/openscap/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/openscap/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -62,6 +62,10 @@ # XXX This shouldn't be necessary, but is; investigate why. CFLAGS += -D_FILE_OFFSET_BITS=64 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # Perl related patch needs configure script recreation. COMPONENT_PREP_ACTION +=(cd $(@D); autoreconf); diff -r 0d8fd6bb915f -r 934578b959f0 components/openssh/Makefile --- a/components/openssh/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/openssh/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -75,8 +75,13 @@ # libraries that it needs. LDFLAGS += $(LD_B_DIRECT) -z nolazyload -# Enable nxheap and nxstack security extensions -LDFLAGS += -z nxheap=enable -z nxstack=enable +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + +# Build PIE +CC_PIC_MODE = $(CC_PIC_ENABLE) +LD_Z_PIE_MODE = $(LD_Z_PIE_ENABLE) # Fix 64-bit linking via compiler. LDFLAGS += $(CC_BITS) diff -r 0d8fd6bb915f -r 934578b959f0 components/openssh/network-ssh.p5m --- a/components/openssh/network-ssh.p5m Thu Nov 03 22:18:09 2016 -0700 +++ b/components/openssh/network-ssh.p5m Fri Nov 04 05:32:50 2016 -0700 @@ -21,6 +21,8 @@ # Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability "Pass-through Uncommitted"> +# pie executables confuse this pkglint check due to bug 24457293 + default pkg.linted.userland.action001.2 True> set name=pkg.fmri \ value=pkg:/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="OpenSSH client and associated utilities" diff -r 0d8fd6bb915f -r 934578b959f0 components/openssh/service-network-ssh.p5m --- a/components/openssh/service-network-ssh.p5m Thu Nov 03 22:18:09 2016 -0700 +++ b/components/openssh/service-network-ssh.p5m Fri Nov 04 05:32:50 2016 -0700 @@ -21,6 +21,8 @@ # Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability "Pass-through Uncommitted"> +# pie executables confuse this pkglint check due to bug 24457293 + default pkg.linted.userland.action001.2 True> set name=pkg.fmri \ value=pkg:/service/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) set name=pkg.summary value="OpenSSH servers and SSH (Secure Shell) services" diff -r 0d8fd6bb915f -r 934578b959f0 components/postfix/Makefile --- a/components/postfix/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/postfix/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -58,6 +58,10 @@ CCARGS += -DHAS_LDAP -I/usr/include/openldap AUXLIBS += -lldap_r-2.4 -llber-2.4 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # pcre-config is run as part of the setup, so we need to find the 64-bit # version so it will provide a 64-bit runpath, o/w pkglint gives warnings. PATH = $(USRBINDIR64):$(USRBINDIR):$(GNUBIN) diff -r 0d8fd6bb915f -r 934578b959f0 components/procmail/Makefile --- a/components/procmail/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/procmail/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -36,6 +36,10 @@ TPNO= 9003 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + BUILD_STYLE= justmake TEST_TARGET= $(NO_TESTS) include $(WS_MAKE_RULES)/common.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/proftpd/Makefile --- a/components/proftpd/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/proftpd/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -56,6 +56,10 @@ PUBLISH_STAMP= endif +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # libcheck and specific Perl Test::Unit version is required for full test TEST_TARGET= $(SKIP_TEST) include $(WS_MAKE_RULES)/common.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/samba/Makefile --- a/components/samba/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/samba/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -92,6 +92,10 @@ CPPFLAGS += $(CPP_XPG6MODE) CPPFLAGS += -I/usr/include/openldap +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + LDFLAGS += -m$(BITS) LDFLAGS += -R/usr/lib/samba$(MACHLIBDIR) LDFLAGS += -R/usr/lib/samba/private$(MACHLIBDIR) @@ -105,6 +109,7 @@ CONFIGURE_OPTIONS += --bindir=/usr/lib/samba/bin CONFIGURE_OPTIONS += --sbindir=/usr/lib/samba/sbin CONFIGURE_OPTIONS += --libdir=/usr/lib/samba$(MACHLIBDIR) + CONFIGURE_OPTIONS += --with-privatelibdir=/usr/lib/samba/private$(MACHLIBDIR) CONFIGURE_OPTIONS += --sysconfdir=/etc/samba CONFIGURE_OPTIONS += --with-pammodulesdir=/usr/lib/samba/security$(MACHLIBDIR) diff -r 0d8fd6bb915f -r 934578b959f0 components/screen/Makefile --- a/components/screen/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/screen/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -32,6 +32,10 @@ TPNO= 29565 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + TEST_TARGET= $(NO_TESTS) include $(WS_MAKE_RULES)/gnu-component.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/sendmail/Makefile --- a/components/sendmail/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/sendmail/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -37,6 +37,10 @@ TPNO= 23958 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # Mostly but not completely migrated from ON in S12. ifeq ($(BUILD_TYPE), evaluation) BUILD_32_and_64= diff -r 0d8fd6bb915f -r 934578b959f0 components/squid/Makefile --- a/components/squid/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/squid/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -38,6 +38,10 @@ TPNO= 28337 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + TEST_TARGET= $(TEST_64) include $(WS_MAKE_RULES)/common.mk diff -r 0d8fd6bb915f -r 934578b959f0 components/sudo/Makefile --- a/components/sudo/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/sudo/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -47,6 +47,10 @@ LDFLAGS += $(CC_BITS) LDFLAGS += -lldap_r-2.4 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + # Allows zero-sized struct/union declarations and void functions with return # statements returning a value to work. CFLAGS += -features=extensions diff -r 0d8fd6bb915f -r 934578b959f0 components/tcpdump/Makefile --- a/components/tcpdump/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/tcpdump/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -34,6 +34,10 @@ TPNO= 22949 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + include $(WS_MAKE_RULES)/common.mk ifeq ($(OS_VERSION),5.11) diff -r 0d8fd6bb915f -r 934578b959f0 components/wget/Makefile --- a/components/wget/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/wget/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -33,6 +33,10 @@ TPNO= 29459 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + include $(WS_MAKE_RULES)/gnu-component.mk # Keep just the final test report diff -r 0d8fd6bb915f -r 934578b959f0 components/wireshark/Makefile --- a/components/wireshark/Makefile Thu Nov 03 22:18:09 2016 -0700 +++ b/components/wireshark/Makefile Fri Nov 04 05:32:50 2016 -0700 @@ -35,6 +35,10 @@ TPNO= 32120 +# Enable adiheap and adistack security extensions +ADIHEAP_MODE = $(ADIHEAP_ENABLE) +ADISTACK_MODE = $(ADISTACK_ENABLE) + TEST_TARGET= $(NO_TESTS) # Depends on newer cairo, which cannot be updated in S11. diff -r 0d8fd6bb915f -r 934578b959f0 make-rules/shared-macros.mk --- a/make-rules/shared-macros.mk Thu Nov 03 22:18:09 2016 -0700 +++ b/make-rules/shared-macros.mk Fri Nov 04 05:32:50 2016 -0700 @@ -905,8 +905,10 @@ # Generic macro for PIC code generation. Use this macro instead of the # compiler-specific variant. -CC_PIC = $($(COMPILER)_PIC) - +CC_PIC = $($(COMPILER)_PIC) +CC_PIC_ENABLE = $(CC_PIC) +CC_PIC_DISABLE = +CC_PIC_MODE = $(CC_PIC_DISABLE) # Default GNU C compiler flags. Add the required feature to your Makefile # with CFLAGS += $(FEATURE_MACRO) and add to the component build with @@ -927,6 +929,10 @@ # Build 32 or 64 bit objects. CFLAGS += $(CC_BITS) +# Support building a binary PIE by building each unit PIC. To enable in +# a makefile, add CC_PIC_MODE = $(CC_PIC_ENABLE) +CFLAGS += $(CC_PIC_MODE) + # Add compiler-specific 'default' features CFLAGS += $(CFLAGS.$(COMPILER)) CFLAGS += $(CFLAGS.$(COMPILER).$(BITS)) @@ -1006,22 +1012,91 @@ # use direct binding LD_B_DIRECT = -Bdirect -# use generic macro names for enabling/disabling ASLR -ASLR_ENABLE = -zaslr=enable -ASLR_DISABLE = -zaslr=disable -ASLR_NOT_APPLICABLE = -zaslr=disable +# build a PIE binary +# to enable creating a PIE binary, add LD_Z_PIE_MODE = $(LD_Z_PIE_ENABLE) +# to the component makefile, and ensure that it's built PIC (CC_PIC_ENABLE). +LD_Z_PIE_ENABLE = -ztype=pie +LD_Z_PIE_DISABLE = +LD_Z_PIE_MODE = $(LD_Z_PIE_DISABLE) + +# generic macro names for enabling/disabling security extensions +# -z is deprecated, but supported, on S12, in favor of +# the more flexible -zsx= format. Security extensions which +# are not supported on S11 use -zsx= by default. + +ifeq ($(OS_VERSION), 5.11) +ASLR_ENABLE = -zaslr=enable +ASLR_DISABLE = -zaslr=disable +ASLR_NOT_APPLICABLE = -zaslr=disable + +NXSTACK_ENABLE = -znxstack=enable +NXSTACK_DISABLE = -znxstack=disable +NXSTACK_NOT_APPLICABLE = -znxstack=disable + +NXHEAP_ENABLE = -znxheap=enable +NXHEAP_DISABLE = -znxheap=disable +NXHEAP_NOT_APPLICABLE = -znxheap=disable +else +ASLR_ENABLE = -zsx=aslr=enable +ASLR_DISABLE = -zsx=aslr=disable +ASLR_NOT_APPLICABLE = -zsx=aslr=disable -# Enable ASLR by default unless target build is NO_ARCH. +NXSTACK_ENABLE = -zsx=nxstack=enable +NXSTACK_DISABLE = -zsx=nxstack=disable +NXSTACK_NOT_APPLICABLE = -zsx=nxstack=disable + +NXHEAP_ENABLE = -zsx=nxheap=enable +NXHEAP_DISABLE = -zsx=nxheap=disable +NXHEAP_NOT_APPLICABLE = -zsx=nxheap=disable + +ADIHEAP_ENABLE.sparcv9 = -zsx=adiheap=enable +ADIHEAP_DISBLE.sparcv9 = -zsx=adiheap=disable +ADIHEAP_ENABLE = $(ADIHEAP_ENABLE.$(MACH64)) +ADIHEAP_DISABLE = $(ADIHEAP_DISABLE.$(MACH64)) + +ADISTACK_ENABLE.sparcv9 = -zsx=adistack=enable +ADISTACK_DISABLE.sparcv9 = -zsx=adistack=disable +ADISTACK_ENABLE = $(ADISTACK_ENABLE.$(MACH64)) +ADISTACK_DISABLE = $(ADISTACK_DISABLE.$(MACH64)) +endif + +# Enable ASLR, NXHEAP and NXSTACK by default unless target build is NO_ARCH. ifeq ($(strip $(BUILD_BITS)),NO_ARCH) -ASLR_MODE= $(ASLR_NOT_APPLICABLE) +ASLR_MODE= $(ASLR_NOT_APPLICABLE) +NXSTACK_MODE = $(NXSTACK_NOT_APPLICABLE) +NXHEAP_MODE = $(NXHEAP_NOT_APPLICABLE) +ADIHEAP_MODE = +ADISTACK_MODE = else -ASLR_MODE= $(ASLR_ENABLE) +ASLR_MODE = $(ASLR_ENABLE) +NXSTACK_MODE = $(NXSTACK_ENABLE) +NXHEAP_MODE = $(NXHEAP_ENABLE) +ADIHEAP_MODE = +ADISTACK_MODE = endif -# by default, turn on Address Space Layout Randomization for ELF executables; +# by default, turn on Address Space Layout Randomization, non-executable +# stack and non-executable heap for ELF executables; # to explicitly disable ASLR, set ASLR_MODE = $(ASLR_DISABLE) +# to explicitly disable NXSTACK, set NXSTACK_MODE = $(NXSTACK_DISABLE) +# to explicitly disable NXHEAP, set NXHEAP_MODE = $(NXHEAP_DISABLE) # in that component's Makefile LD_Z_ASLR = $(ASLR_MODE) +LD_Z_NXSTACK = $(NXSTACK_MODE) +LD_Z_NXHEAP = $(NXHEAP_MODE) + +# by default, ADIHEAP and ADISTACK are opt-in. +# to explicitly enable ADIHEAP, set ADIHEAP_MODE = $(ADIHEAP_ENABLE) +# to explicitly disable ADIHEAP, set ADIHEAP_MODE = $(ADIHEAP_DISABLE) +# to explicitly enable ADISTACK, set ADISTACK_MODE = $(ADISTACK_ENABLE) +# to explicitly disable ADISTACK, set ADISTACK_MODE = $(ADISTACK_DISABLE) +# +# ADIHEAP and ADISTACK are not supported on Solaris 11. +# +ifneq ($(OS_VERSION), 5.11) +LD_Z_ADIHEAP = $(ADIHEAP_MODE) +LD_Z_ADISTACK = $(ADISTACK_MODE) +endif # # More Solaris linker flags that we want to be sure that everyone gets. This @@ -1030,10 +1105,6 @@ # turned off by adding FEATURE_MACRO= to the component Makefile. # -# Create a non-executable stack when linking. -LD_MAP_NOEXSTK.i386 = -M /usr/lib/ld/map.noexstk -LD_MAP_NOEXSTK.sparc = -M /usr/lib/ld/map.noexstk - # Create a non-executable bss segment when linking. LD_MAP_NOEXBSS.i386 = -M /usr/lib/ld/map.noexbss LD_MAP_NOEXBSS.sparc = -M /usr/lib/ld/map.noexbss @@ -1053,21 +1124,32 @@ # Default linker options that everyone should get. Do not add additional # libraries to this macro, as it will apply to everything linked during the # component build. -LD_OPTIONS += $(LD_MAP_NOEXSTK.$(MACH)) $(LD_MAP_NOEXDATA.$(MACH)) \ +LD_OPTIONS += $(LD_MAP_NOEXDATA.$(MACH)) \ $(LD_MAP_PAGEALIGN) $(LD_B_DIRECT) $(LD_Z_IGNORE) \ $(LD_Z_STRIP_CLASS) +LD_SECEXT_OPTIONS.sparc = $(LD_Z_ADIHEAP) $(LD_Z_ADISTACK) +LD_SECEXT_OPTIONS = $(LD_Z_ASLR) $(LD_Z_NXSTACK) $(LD_Z_NXHEAP) \ + $(LD_SECEXT_OPTIONS.$(MACH)) + # only used on executables -LD_EXEC_OPTIONS = $(LD_Z_ASLR) +# executables can be ET_EXEC or ET_DYN (PIE). LD_EXEC_OPTIONS and +# LD_PIE_OPTIONS apply respectively. A small trick is used to link +# binaries with -ztype=pie, by passing it on the LD_EXEC_OPTIONS list. +LD_EXEC_OPTIONS = $(LD_Z_PIE_MODE) $(LD_SECEXT_OPTIONS) +LD_PIE_OPTIONS = $(LD_SECEXT_OPTIONS) + # Environment variables and arguments passed into the build and install # environment(s). These are the initial settings. COMPONENT_BUILD_ENV= \ LD_OPTIONS="$(LD_OPTIONS)" \ - LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)" + LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"\ + LD_PIE_OPTIONS="$(LD_PIE_OPTIONS)"\ COMPONENT_INSTALL_ENV= \ LD_OPTIONS="$(LD_OPTIONS)" \ - LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)" + LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"\ + LD_PIE_OPTIONS="$(LD_PIE_OPTIONS)"\ # Add any bit-specific settings COMPONENT_BUILD_ENV += $(COMPONENT_BUILD_ENV.$(BITS))