--- a/exception_lists/cddlchk Tue Nov 04 08:41:39 2014 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-.*
--- a/exception_lists/check_rtime Tue Nov 04 08:41:39 2014 -0800
+++ b/exception_lists/check_rtime Wed Nov 05 07:58:34 2014 -0800
@@ -87,11 +87,6 @@
# not during the build process.
NOELFSIGN .*
-# check_rtime tests for the DT_SUNW_NXHEAP dynamic entry, as defined by
-# PSARC/2014/247 Non-executable stack and heap security extensions - 19229055
-# provide a blanket exemption for now
-EXEC_HEAP .*
-
## Things we might be able to fix eventually, but not today:
#
# libXinerama only uses libc for malloc() - when linked with synergyc &
--- a/open-src/common/Makefile.init Tue Nov 04 08:41:39 2014 -0800
+++ b/open-src/common/Makefile.init Wed Nov 05 07:58:34 2014 -0800
@@ -207,15 +207,37 @@
MAPFILE_NOEXDATA_sparc = $(MAPFILE_NOEXBSS)
MAPFILE_NOEXDATA_i386 = -M /usr/lib/ld/map.noexdata
MAPFILE_NOEXDATA = $(MAPFILE_NOEXDATA_$(MACH))
-MAPFILE_NOEXSTACK = -M /usr/lib/ld/map.noexstk
MAPFILE_PAGEALIGN = -M /usr/lib/ld/map.pagealign
MAPFILE_HEAPALIGN = -M /usr/lib/ld/map.bssalign
MAPFILES_FOR_ALL = $(MAPFILE_PAGEALIGN) $(MAPFILE_NOEXDATA)
-MAPFILES_FOR_PROGS = $(MAPFILE_HEAPALIGN) $(MAPFILE_NOEXSTACK)
-MAPFILES_FOR_PROGS += $(MAPFILE_NOEXBSS)
+MAPFILES_FOR_PROGS = $(MAPFILE_HEAPALIGN) $(MAPFILE_NOEXBSS)
-XORG_EXTERNS_FILE = mapfile-Xorg-externs.$(MACH)
+# Security Extensions file tagging.
+#
+# Security Extensions can be explicitly controlled at the binary level via
+# tagging. Binaries built with -z <extension>=enable will have the extension
+# enabled in the 'tagged-files' model, while binaries built with
+# -z <extension>=disable will have it disabled regardless of the model.
+#
+# Currently supported extensions are:
+# -z aslr Address Space Layout Randomization
+# -z nxstack Non-executable Stack
+# -z nxheap Non-executable Heap
+#
+# -z aslr|nxstack|nxheap are only valid when linking executables.
+
+ZASLR_ENABLE= -z aslr=enable
+ZASLR_DISABLE= -z aslr=disable
+ZASLR= $(ZASLR_ENABLE)
+
+ZNXSTACK_ENABLE= -z nxstack=enable
+ZNXSTACK_DISABLE= -z nxstack=disable
+ZNXSTACK= $(ZNXSTACK_ENABLE)
+
+ZNXHEAP_ENABLE= -z nxheap=enable
+ZNXHEAP_DISABLE= -z nxheap=disable
+ZNXHEAP= $(ZNXHEAP_ENABLE)
# Flags to discard at link time unnecessary dependencies, .o files or
# ELF sections that upstream may have included that we don't use.
@@ -223,10 +245,6 @@
ZDISCARD_UNUSED_FIL = -zdiscard-unused=files
ZDISCARD_UNUSED_SEC = -zdiscard-unused=sections
-# Include -lc as workaround for bug 17815318 so libm can actually go away
-# if -xlibmil manages to inline all math functions.
-ZDISCARD_UNUSED_DEP += -lc
-
# Common flags for all binaries
DEFAULT_LD_OPTIONS = -z lazyload -B direct -z guidance
DEFAULT_LD_OPTIONS += $(MAPFILES_FOR_ALL)
@@ -244,7 +262,7 @@
DEFAULT_LD_SHARED_OPTIONS = -z text -z defs
# Ensure we do ASLR tagging & mark stacks/heaps non-executable on programs
-DEFAULT_LD_EXEC_OPTIONS = -z aslr=enable $(MAPFILES_FOR_PROGS)
+DEFAULT_LD_EXEC_OPTIONS = $(ZASLR) $(ZNXHEAP) $(ZNXSTACK) $(MAPFILES_FOR_PROGS)
## Commonly added options
--- a/open-src/xserver/xorg/Makefile Tue Nov 04 08:41:39 2014 -0800
+++ b/open-src/xserver/xorg/Makefile Wed Nov 05 07:58:34 2014 -0800
@@ -153,6 +153,7 @@
# Pass linker mapfile listing symbols that modules can count on resolving
# from the Xorg binary itself
+XORG_EXTERNS_FILE = mapfile-Xorg-externs.$(MACH)
XORG_EXTERNS_FLAG = -Wl,-M,$(PWD)/$(XORG_EXTERNS_FILE)
MODULE_BUILD_ENV = XORG_EXTERNS_FLAG='$(XORG_EXTERNS_FLAG)'
MODULE_LD_SHARED_OPTIONS += -M $(PWD)/$(XORG_EXTERNS_FILE)
--- a/open-src/xserver/xvnc/Makefile Tue Nov 04 08:41:39 2014 -0800
+++ b/open-src/xserver/xvnc/Makefile Wed Nov 05 07:58:34 2014 -0800
@@ -199,10 +199,6 @@
# The X server unit tests currently depend on the Xorg ddx being built
XVNC_CONFIG_OPTS += --disable-unit-tests
-# Include -lc as workaround for bug 17815318 so libm can actually go away
-# if -xlibmil manages to inline all math functions.
-MODULE_LDFLAGS += -lc -lm
-
MODULE_CPPFLAGS = \
-D_XOPEN_SOURCE=500 -D__EXTENSIONS__ \
-D__extension__=\"\" \