On Mon, 4 May 2020 at 19:39, Dewayne Geraghty <dewa...@heuristicsystems.com.au> wrote: > > It would be palatable to have a "secure.mk" under /usr/ports/Mk/Uses > that enables pie, relro, now, noexecstack and elfctl features. Then > port users can enable/disable their (elfctl) default features as they wish.
The general intent for elfctl isn't to have a lot of knobs to worry about, either user- or developer-facing, and they'll generally be opt-outs. Ports with known incompatibilities will be tagged at build time (regardless of whether mitigations are enabled), and mitigations should be able to be turned on system-wide. We should be able to address non-executable stack in a similar way - virtually all ports should have a RW GNU_STACK segment indicating that the stack is not executable, so a ports build stage could check for that and produce an error if not, with some sort of override for any exceptional cases. We definitely want some global infrastructure for pie, relro, and bind_now. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
