b619f0c747
1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other build-only utility libraries. 2. Another 40% is fixed by generating _pic.a variants of various libraries. 3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR) where it never would work anyhow, such as csu or loader. This suggests there may be better ways of adding support to the tree. Many of these cases can be fixed such that -fPIE will work but there is really no reason to have it in those cases. 4. Some of the uses are working around hacks done to some Makefiles that are really building libraries but have been using bsd.prog.mk because the code is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have been needed. We likely do want to enable PIE by default (opt-out) for non-tree consumers (such as ports). For in-tree though we probably want to only enable PIE (opt-in) for common attack targets such as remote service daemons and setuid utilities. This is also a great performance compromise since ASLR is expected to reduce performance. As such it does not make sense to enable it in all utilities such as ls(1) that have little benefit to having it enabled. Reported by: kib
98 lines
2.7 KiB
Makefile
98 lines
2.7 KiB
Makefile
# $FreeBSD$
|
|
#
|
|
# Option file for src builds.
|
|
#
|
|
# Users define WITH_FOO and WITHOUT_FOO on the command line or in /etc/src.conf
|
|
# and /etc/make.conf files. These translate in the build system to MK_FOO={yes,no}
|
|
# with sensible (usually) defaults.
|
|
#
|
|
# Makefiles must include bsd.opts.mk after defining specific MK_FOO options that
|
|
# are applicable for that Makefile (typically there are none, but sometimes there
|
|
# are exceptions). Recursive makes usually add MK_FOO=no for options that they wish
|
|
# to omit from that make.
|
|
#
|
|
# Makefiles must include bsd.srcpot.mk before they test the value of any MK_FOO
|
|
# variable.
|
|
#
|
|
# Makefiles may also assume that this file is included by bsd.own.mk should it
|
|
# need variables defined there prior to the end of the Makefile where
|
|
# bsd.{subdir,lib.bin}.mk is traditionally included.
|
|
#
|
|
# The old-style YES_FOO and NO_FOO are being phased out. No new instances of them
|
|
# should be added. Old instances should be removed since they were just to
|
|
# bridge the gap between FreeBSD 4 and FreeBSD 5.
|
|
#
|
|
# Makefiles should never test WITH_FOO or WITHOUT_FOO directly (although an
|
|
# exception is made for _WITHOUT_SRCONF which turns off this mechanism
|
|
# completely).
|
|
#
|
|
|
|
.if !target(__<bsd.opts.mk>__)
|
|
__<bsd.opts.mk>__:
|
|
|
|
.if !defined(_WITHOUT_SRCCONF)
|
|
#
|
|
# Define MK_* variables (which are either "yes" or "no") for users
|
|
# to set via WITH_*/WITHOUT_* in /etc/src.conf and override in the
|
|
# make(1) environment.
|
|
# These should be tested with `== "no"' or `!= "no"' in makefiles.
|
|
# The NO_* variables should only be set by makefiles for variables
|
|
# that haven't been converted over.
|
|
#
|
|
|
|
# Only these options are used by bsd.*.mk. KERBEROS and OPENSSH are
|
|
# unforutnately needed to support statically linking the entire
|
|
# tree. su(1) wouldn't link since it depends on PAM which depends on
|
|
# ssh libraries when building with OPENSSH, and likewise for KERBEROS.
|
|
|
|
# All other variables used to build /usr/src live in src.opts.mk
|
|
# and variables from both files are documented in src.conf(5).
|
|
|
|
__DEFAULT_YES_OPTIONS = \
|
|
ASSERT_DEBUG \
|
|
DOCCOMPRESS \
|
|
INSTALLLIB \
|
|
KERBEROS \
|
|
MAN \
|
|
MANCOMPRESS \
|
|
NIS \
|
|
NLS \
|
|
OPENSSH \
|
|
PROFILE \
|
|
SSP \
|
|
SYMVER \
|
|
TOOLCHAIN \
|
|
WARNS
|
|
|
|
__DEFAULT_NO_OPTIONS = \
|
|
CTF \
|
|
DEBUG_FILES \
|
|
INSTALL_AS_USER \
|
|
INFO
|
|
|
|
.include <bsd.mkopt.mk>
|
|
|
|
#
|
|
# Supported NO_* options (if defined, MK_* will be forced to "no",
|
|
# regardless of user's setting).
|
|
#
|
|
# These are transitional and will disappaer in the FreeBSD 12.
|
|
#
|
|
.for var in \
|
|
CTF \
|
|
DEBUG_FILES \
|
|
INSTALLLIB \
|
|
MAN \
|
|
PROFILE \
|
|
WARNS
|
|
.if defined(NO_${var})
|
|
# This warning may be premature...
|
|
#.warning "NO_${var} is defined, but deprecated. Please use MK_${var}=no instead."
|
|
MK_${var}:=no
|
|
.endif
|
|
.endfor
|
|
|
|
.endif # !_WITHOUT_SRCCONF
|
|
|
|
.endif
|