mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-15 23:05:49 +01:00
5608fd23c2
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other build-only utility libraries. 2. Another 40% is fixed by generating _pic.a variants of various libraries. 3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR) where it never would work anyhow, such as csu or loader. This suggests there may be better ways of adding support to the tree. Many of these cases can be fixed such that -fPIE will work but there is really no reason to have it in those cases. 4. Some of the uses are working around hacks done to some Makefiles that are really building libraries but have been using bsd.prog.mk because the code is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have been needed. We likely do want to enable PIE by default (opt-out) for non-tree consumers (such as ports). For in-tree though we probably want to only enable PIE (opt-in) for common attack targets such as remote service daemons and setuid utilities. This is also a great performance compromise since ASLR is expected to reduce performance. As such it does not make sense to enable it in all utilities such as ls(1) that have little benefit to having it enabled. Reported by: kib
51 lines
1.1 KiB
Makefile
51 lines
1.1 KiB
Makefile
# $FreeBSD$
|
|
|
|
.include <src.opts.mk>
|
|
|
|
TELNETDIR= ${.CURDIR}/../../contrib/telnet
|
|
.PATH: ${TELNETDIR}/telnet
|
|
|
|
PROG= telnet
|
|
|
|
SRCS= commands.c main.c network.c ring.c sys_bsd.c \
|
|
telnet.c terminal.c utilities.c
|
|
|
|
CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \
|
|
-I${TELNETDIR} -I${TELNETDIR}/libtelnet/
|
|
|
|
.if ${MK_INET6_SUPPORT} != "no"
|
|
CFLAGS+= -DINET6
|
|
.endif
|
|
|
|
WARNS?= 2
|
|
|
|
LIBTELNET= ${.OBJDIR}/../../lib/libtelnet/libtelnet.a
|
|
|
|
DPADD= ${LIBTERMCAPW} ${LIBTELNET}
|
|
LDADD= -ltermcapw ${LIBTELNET}
|
|
|
|
.if !defined(RELEASE_CRUNCH)
|
|
CFLAGS+= -DIPSEC
|
|
DPADD+= ${LIBIPSEC}
|
|
LDADD+= -lipsec
|
|
.else
|
|
.PATH: ${TELNETDIR}/libtelnet
|
|
SRCS+= genget.c getent.c misc.c
|
|
CFLAGS+= -DHAS_CGETENT
|
|
.endif
|
|
|
|
.if ${MK_OPENSSL} != "no"
|
|
SRCS+= authenc.c
|
|
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DIPSEC
|
|
DPADD+= ${LIBMP} ${LIBCRYPTO} ${LIBCRYPT} ${LIBIPSEC} ${LIBPAM}
|
|
LDADD+= -lmp -lcrypto -lcrypt -lipsec ${MINUSLPAM}
|
|
.endif
|
|
|
|
.if ${MK_KERBEROS_SUPPORT} != "no"
|
|
CFLAGS+= -DKRB5 -DFORWARD -Dnet_write=telnet_net_write
|
|
DPADD+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBCOM_ERR} ${LIBROKEN}
|
|
LDADD+= -lkrb5 -lhx509 -lasn1 -lcom_err -lroken
|
|
.endif
|
|
|
|
.include <bsd.prog.mk>
|