Index: head/share/mk/bsd.lib.mk =================================================================== --- head/share/mk/bsd.lib.mk (revision 340185) +++ head/share/mk/bsd.lib.mk (revision 340186) @@ -1,491 +1,495 @@ # from: @(#)bsd.lib.mk 5.26 (Berkeley) 5/2/91 # $FreeBSD$ # .include .if defined(LIB_CXX) || defined(SHLIB_CXX) _LD= ${CXX} .else _LD= ${CC} .endif .if defined(LIB_CXX) LIB= ${LIB_CXX} .endif .if defined(SHLIB_CXX) SHLIB= ${SHLIB_CXX} .endif LIB_PRIVATE= ${PRIVATELIB:Dprivate} # Set up the variables controlling shared libraries. After this section, # SHLIB_NAME will be defined only if we are to create a shared library. # SHLIB_LINK will be defined only if we are to create a link to it. # INSTALL_PIC_ARCHIVE will be defined only if we are to create a PIC archive. # BUILD_NOSSP_PIC_ARCHIVE will be defined only if we are to create a PIC archive. .if defined(NO_PIC) .undef SHLIB_NAME .undef INSTALL_PIC_ARCHIVE .undef BUILD_NOSSP_PIC_ARCHIVE .else .if !defined(SHLIB) && defined(LIB) SHLIB= ${LIB} .endif .if !defined(SHLIB_NAME) && defined(SHLIB) && defined(SHLIB_MAJOR) SHLIB_NAME= lib${LIB_PRIVATE}${SHLIB}.so.${SHLIB_MAJOR} .endif .if defined(SHLIB_NAME) && !empty(SHLIB_NAME:M*.so.*) SHLIB_LINK?= ${SHLIB_NAME:R} .endif SONAME?= ${SHLIB_NAME} .endif .if defined(CRUNCH_CFLAGS) CFLAGS+= ${CRUNCH_CFLAGS} .endif .if ${MK_ASSERT_DEBUG} == "no" CFLAGS+= -DNDEBUG NO_WERROR= .endif .if defined(DEBUG_FLAGS) CFLAGS+= ${DEBUG_FLAGS} .if ${MK_CTF} != "no" && ${DEBUG_FLAGS:M-g} != "" CTFFLAGS+= -g .endif .else STRIP?= -s .endif .if ${SHLIBDIR:M*lib32*} TAGS+= lib32 .endif .if defined(NO_ROOT) .if !defined(TAGS) || ! ${TAGS:Mpackage=*} TAGS+= package=${PACKAGE:Uruntime} .endif TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .endif +# ELF hardening knobs +.if ${MK_BIND_NOW} != "no" +LDFLAGS+= -Wl,-znow +.endif .if ${MK_RETPOLINE} != "no" CFLAGS+= -mretpoline CXXFLAGS+= -mretpoline LDFLAGS+= -Wl,-zretpolineplt .endif .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \ empty(DEBUG_FLAGS:M-gdwarf*) CFLAGS+= ${DEBUG_FILES_CFLAGS} CXXFLAGS+= ${DEBUG_FILES_CFLAGS} CTFFLAGS+= -g .endif .include # prefer .s to a .c, add .po, remove stuff not used in the BSD libraries # .pico used for PIC object files # .nossppico used for NOSSP PIC object files .SUFFIXES: .out .o .bc .ll .po .pico .nossppico .S .asm .s .c .cc .cpp .cxx .C .f .y .l .ln .if !defined(PICFLAG) .if ${MACHINE_CPUARCH} == "sparc64" PICFLAG=-fPIC .else PICFLAG=-fpic .endif .endif PO_FLAG=-pg .c.po: ${CC} ${PO_FLAG} ${STATIC_CFLAGS} ${PO_CFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .c.pico: ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS} ${CFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .c.nossppico: ${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//} ${CFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .cc.po .C.po .cpp.po .cxx.po: ${CXX} ${PO_FLAG} ${STATIC_CXXFLAGS} ${PO_CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} .cc.pico .C.pico .cpp.pico .cxx.pico: ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET} .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico: ${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//} -c ${.IMPSRC} -o ${.TARGET} .f.po: ${FC} -pg ${FFLAGS} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} .f.pico: ${FC} ${PICFLAG} -DPIC ${FFLAGS} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} .f.nossppico: ${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC} ${CTFCONVERT_CMD} .s.po .s.pico .s.nossppico: ${AS} ${AFLAGS} -o ${.TARGET} ${.IMPSRC} ${CTFCONVERT_CMD} .asm.po: ${CC:N${CCACHE_BIN}} -x assembler-with-cpp -DPROF ${PO_CFLAGS} \ ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .asm.pico: ${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \ ${CFLAGS} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .asm.nossppico: ${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \ ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .S.po: ${CC:N${CCACHE_BIN}} -DPROF ${PO_CFLAGS} ${ACFLAGS} -c ${.IMPSRC} \ -o ${.TARGET} ${CTFCONVERT_CMD} .S.pico: ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS} ${ACFLAGS} \ -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} .S.nossppico: ${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \ -c ${.IMPSRC} -o ${.TARGET} ${CTFCONVERT_CMD} _LIBDIR:=${LIBDIR} _SHLIBDIR:=${SHLIBDIR} .if defined(SHLIB_NAME) .if ${MK_DEBUG_FILES} != "no" SHLIB_NAME_FULL=${SHLIB_NAME}.full # Use ${DEBUGDIR} for base system debug files, else .debug subdirectory .if ${_SHLIBDIR} == "/boot" ||\ ${SHLIBDIR:C%/lib(/.*)?$%/lib%} == "/lib" ||\ ${SHLIBDIR:C%/usr/(tests/)?lib(32|exec)?(/.*)?%/usr/lib%} == "/usr/lib" DEBUGFILEDIR=${DEBUGDIR}${_SHLIBDIR} .else DEBUGFILEDIR=${_SHLIBDIR}/.debug .endif .if !exists(${DESTDIR}${DEBUGFILEDIR}) DEBUGMKDIR= .endif .else SHLIB_NAME_FULL=${SHLIB_NAME} .endif .endif .include # Allow libraries to specify their own version map or have it # automatically generated (see bsd.symver.mk above). .if ${MK_SYMVER} == "yes" && !empty(VERSION_MAP) ${SHLIB_NAME_FULL}: ${VERSION_MAP} LDFLAGS+= -Wl,--version-script=${VERSION_MAP} .endif .if defined(LIB) && !empty(LIB) || defined(SHLIB_NAME) OBJS+= ${SRCS:N*.h:${OBJS_SRCS_FILTER:ts:}:S/$/.o/} BCOBJS+= ${SRCS:N*.[hsS]:N*.asm:${OBJS_SRCS_FILTER:ts:}:S/$/.bco/g} LLOBJS+= ${SRCS:N*.[hsS]:N*.asm:${OBJS_SRCS_FILTER:ts:}:S/$/.llo/g} CLEANFILES+= ${OBJS} ${BCOBJS} ${LLOBJS} ${STATICOBJS} .endif .if defined(LIB) && !empty(LIB) _LIBS= lib${LIB_PRIVATE}${LIB}.a lib${LIB_PRIVATE}${LIB}.a: ${OBJS} ${STATICOBJS} @${ECHO} building static ${LIB} library @rm -f ${.TARGET} ${AR} ${ARFLAGS} ${.TARGET} `NM='${NM}' NMFLAGS='${NMFLAGS}' \ ${LORDER} ${OBJS} ${STATICOBJS} | ${TSORT} ${TSORTFLAGS}` ${ARADD} ${RANLIB} ${RANLIBFLAGS} ${.TARGET} .endif .if !defined(INTERNALLIB) .if ${MK_PROFILE} != "no" && defined(LIB) && !empty(LIB) _LIBS+= lib${LIB_PRIVATE}${LIB}_p.a POBJS+= ${OBJS:.o=.po} ${STATICOBJS:.o=.po} DEPENDOBJS+= ${POBJS} CLEANFILES+= ${POBJS} lib${LIB_PRIVATE}${LIB}_p.a: ${POBJS} @${ECHO} building profiled ${LIB} library @rm -f ${.TARGET} ${AR} ${ARFLAGS} ${.TARGET} `NM='${NM}' NMFLAGS='${NMFLAGS}' \ ${LORDER} ${POBJS} | ${TSORT} ${TSORTFLAGS}` ${ARADD} ${RANLIB} ${RANLIBFLAGS} ${.TARGET} .endif .if defined(LLVM_LINK) lib${LIB_PRIVATE}${LIB}.bc: ${BCOBJS} ${LLVM_LINK} -o ${.TARGET} ${BCOBJS} lib${LIB_PRIVATE}${LIB}.ll: ${LLOBJS} ${LLVM_LINK} -S -o ${.TARGET} ${LLOBJS} CLEANFILES+= lib${LIB_PRIVATE}${LIB}.bc lib${LIB_PRIVATE}${LIB}.ll .endif .if defined(SHLIB_NAME) || \ defined(INSTALL_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) SOBJS+= ${OBJS:.o=.pico} DEPENDOBJS+= ${SOBJS} CLEANFILES+= ${SOBJS} .endif .if defined(SHLIB_NAME) _LIBS+= ${SHLIB_NAME} SOLINKOPTS+= -shared -Wl,-x .if defined(LD_FATAL_WARNINGS) && ${LD_FATAL_WARNINGS} == "no" SOLINKOPTS+= -Wl,--no-fatal-warnings .else SOLINKOPTS+= -Wl,--fatal-warnings .endif SOLINKOPTS+= -Wl,--warn-shared-textrel .if target(beforelinking) beforelinking: ${SOBJS} ${SHLIB_NAME_FULL}: beforelinking .endif .if defined(SHLIB_LINK) .if defined(SHLIB_LDSCRIPT) && !empty(SHLIB_LDSCRIPT) && exists(${.CURDIR}/${SHLIB_LDSCRIPT}) ${SHLIB_LINK:R}.ld: ${.CURDIR}/${SHLIB_LDSCRIPT} sed -e 's,@@SHLIB@@,${_SHLIBDIR}/${SHLIB_NAME},g' \ -e 's,@@LIBDIR@@,${_LIBDIR},g' \ ${.ALLSRC} > ${.TARGET} ${SHLIB_NAME_FULL}: ${SHLIB_LINK:R}.ld CLEANFILES+= ${SHLIB_LINK:R}.ld .endif CLEANFILES+= ${SHLIB_LINK} .endif ${SHLIB_NAME_FULL}: ${SOBJS} @${ECHO} building shared library ${SHLIB_NAME} @rm -f ${SHLIB_NAME} ${SHLIB_LINK} .if defined(SHLIB_LINK) && !commands(${SHLIB_LINK:R}.ld) && ${MK_DEBUG_FILES} == "no" @${INSTALL_LIBSYMLINK} ${TAG_ARGS:D${TAG_ARGS},development} ${SHLIB_NAME} ${SHLIB_LINK} .endif ${_LD:N${CCACHE_BIN}} ${LDFLAGS} ${SSP_CFLAGS} ${SOLINKOPTS} \ -o ${.TARGET} -Wl,-soname,${SONAME} \ `NM='${NM}' NMFLAGS='${NMFLAGS}' ${LORDER} ${SOBJS} | \ ${TSORT} ${TSORTFLAGS}` ${LDADD} .if ${MK_CTF} != "no" ${CTFMERGE} ${CTFFLAGS} -o ${.TARGET} ${SOBJS} .endif .if ${MK_DEBUG_FILES} != "no" CLEANFILES+= ${SHLIB_NAME_FULL} ${SHLIB_NAME}.debug ${SHLIB_NAME}: ${SHLIB_NAME_FULL} ${SHLIB_NAME}.debug ${OBJCOPY} --strip-debug --add-gnu-debuglink=${SHLIB_NAME}.debug \ ${SHLIB_NAME_FULL} ${.TARGET} .if defined(SHLIB_LINK) && !commands(${SHLIB_LINK:R}.ld) @${INSTALL_LIBSYMLINK} ${TAG_ARGS:D${TAG_ARGS},development} ${SHLIB_NAME} ${SHLIB_LINK} .endif ${SHLIB_NAME}.debug: ${SHLIB_NAME_FULL} ${OBJCOPY} --only-keep-debug ${SHLIB_NAME_FULL} ${.TARGET} .endif .endif #defined(SHLIB_NAME) .if defined(INSTALL_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) && ${MK_TOOLCHAIN} != "no" _LIBS+= lib${LIB_PRIVATE}${LIB}_pic.a lib${LIB_PRIVATE}${LIB}_pic.a: ${SOBJS} @${ECHO} building special pic ${LIB} library @rm -f ${.TARGET} ${AR} ${ARFLAGS} ${.TARGET} ${SOBJS} ${ARADD} ${RANLIB} ${RANLIBFLAGS} ${.TARGET} .endif .if defined(BUILD_NOSSP_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) NOSSPSOBJS+= ${OBJS:.o=.nossppico} DEPENDOBJS+= ${NOSSPSOBJS} CLEANFILES+= ${NOSSPSOBJS} _LIBS+= lib${LIB_PRIVATE}${LIB}_nossp_pic.a lib${LIB_PRIVATE}${LIB}_nossp_pic.a: ${NOSSPSOBJS} @${ECHO} building special nossp pic ${LIB} library @rm -f ${.TARGET} ${AR} ${ARFLAGS} ${.TARGET} ${NOSSPSOBJS} ${ARADD} ${RANLIB} ${RANLIBFLAGS} ${.TARGET} .endif .endif # !defined(INTERNALLIB) .if defined(_SKIP_BUILD) all: .else .if defined(_LIBS) && !empty(_LIBS) all: ${_LIBS} .endif .if ${MK_MAN} != "no" && !defined(LIBRARIES_ONLY) all: all-man .endif .endif CLEANFILES+= ${_LIBS} _EXTRADEPEND: .if !defined(NO_EXTRADEPEND) && defined(SHLIB_NAME) .if defined(DPADD) && !empty(DPADD) echo ${SHLIB_NAME_FULL}: ${DPADD} >> ${DEPENDFILE} .endif .endif .if !target(install) .if defined(PRECIOUSLIB) .if !defined(NO_FSCHG) SHLINSTALLFLAGS+= -fschg .endif .endif # Install libraries with -S to avoid risk of modifying in-use libraries when # installing to a running system. It is safe to avoid this for NO_ROOT builds # that are only creating an image. .if !defined(NO_SAFE_LIBINSTALL) && !defined(NO_ROOT) SHLINSTALLFLAGS+= -S .endif _INSTALLFLAGS:= ${INSTALLFLAGS} .for ie in ${INSTALLFLAGS_EDIT} _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} .endfor _SHLINSTALLFLAGS:= ${SHLINSTALLFLAGS} .for ie in ${INSTALLFLAGS_EDIT} _SHLINSTALLFLAGS:= ${_SHLINSTALLFLAGS${ie}} .endfor .if !defined(INTERNALLIB) realinstall: _libinstall .ORDER: beforeinstall _libinstall _libinstall: .if defined(LIB) && !empty(LIB) && ${MK_INSTALLLIB} != "no" ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},development} -C -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ ${_INSTALLFLAGS} lib${LIB_PRIVATE}${LIB}.a ${DESTDIR}${_LIBDIR}/ .endif .if ${MK_PROFILE} != "no" && defined(LIB) && !empty(LIB) ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},profile} -C -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ ${_INSTALLFLAGS} lib${LIB_PRIVATE}${LIB}_p.a ${DESTDIR}${_LIBDIR}/ .endif .if defined(SHLIB_NAME) ${INSTALL} ${TAG_ARGS} ${STRIP} -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ ${_INSTALLFLAGS} ${_SHLINSTALLFLAGS} \ ${SHLIB_NAME} ${DESTDIR}${_SHLIBDIR}/ .if ${MK_DEBUG_FILES} != "no" .if defined(DEBUGMKDIR) ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},debug} -d ${DESTDIR}${DEBUGFILEDIR}/ .endif ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},debug} -o ${LIBOWN} -g ${LIBGRP} -m ${DEBUGMODE} \ ${_INSTALLFLAGS} \ ${SHLIB_NAME}.debug ${DESTDIR}${DEBUGFILEDIR}/ .endif .if defined(SHLIB_LINK) .if commands(${SHLIB_LINK:R}.ld) ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},development} -S -C -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ ${_INSTALLFLAGS} ${SHLIB_LINK:R}.ld \ ${DESTDIR}${_LIBDIR}/${SHLIB_LINK} .for _SHLIB_LINK_LINK in ${SHLIB_LDSCRIPT_LINKS} ${INSTALL_LIBSYMLINK} ${SHLIB_LINK} ${DESTDIR}${_LIBDIR}/${_SHLIB_LINK_LINK} .endfor .else .if ${_SHLIBDIR} == ${_LIBDIR} .if ${SHLIB_LINK:Mlib*} ${INSTALL_RSYMLINK} ${TAG_ARGS:D${TAG_ARGS},development} ${SHLIB_NAME} ${DESTDIR}${_LIBDIR}/${SHLIB_LINK} .else ${INSTALL_RSYMLINK} ${TAG_ARGS} ${DESTDIR}${_SHLIBDIR}/${SHLIB_NAME} \ ${DESTDIR}${_LIBDIR}/${SHLIB_LINK} .endif .else .if ${SHLIB_LINK:Mlib*} ${INSTALL_RSYMLINK} ${TAG_ARGS:D${TAG_ARGS},development} ${DESTDIR}${_SHLIBDIR}/${SHLIB_NAME} \ ${DESTDIR}${_LIBDIR}/${SHLIB_LINK} .else ${INSTALL_RSYMLINK} ${TAG_ARGS} ${DESTDIR}${_SHLIBDIR}/${SHLIB_NAME} \ ${DESTDIR}${_LIBDIR}/${SHLIB_LINK} .endif .if exists(${DESTDIR}${_LIBDIR}/${SHLIB_NAME}) -chflags noschg ${DESTDIR}${_LIBDIR}/${SHLIB_NAME} rm -f ${DESTDIR}${_LIBDIR}/${SHLIB_NAME} .endif .endif .endif # SHLIB_LDSCRIPT .endif # SHLIB_LINK .endif # SHIB_NAME .if defined(INSTALL_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) && ${MK_TOOLCHAIN} != "no" ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},development} -o ${LIBOWN} -g ${LIBGRP} -m ${LIBMODE} \ ${_INSTALLFLAGS} lib${LIB}_pic.a ${DESTDIR}${_LIBDIR}/ .endif .endif # !defined(INTERNALLIB) .if !defined(LIBRARIES_ONLY) .include .include .include .include .endif LINKOWN?= ${LIBOWN} LINKGRP?= ${LIBGRP} LINKMODE?= ${LIBMODE} SYMLINKOWN?= ${LIBOWN} SYMLINKGRP?= ${LIBGRP} .include .if ${MK_MAN} != "no" && !defined(LIBRARIES_ONLY) realinstall: maninstall .ORDER: beforeinstall maninstall .endif .endif .if ${MK_MAN} != "no" && !defined(LIBRARIES_ONLY) .include .endif .if defined(LIB) && !empty(LIB) OBJS_DEPEND_GUESS+= ${SRCS:M*.h} .for _S in ${SRCS:N*.[hly]} OBJS_DEPEND_GUESS.${_S:${OBJS_SRCS_FILTER:ts:}}.po+= ${_S} .endfor .endif .if defined(SHLIB_NAME) || \ defined(INSTALL_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) .for _S in ${SRCS:N*.[hly]} OBJS_DEPEND_GUESS.${_S:${OBJS_SRCS_FILTER:ts:}}.pico+= ${_S} .endfor .endif .if defined(BUILD_NOSSP_PIC_ARCHIVE) && defined(LIB) && !empty(LIB) .for _S in ${SRCS:N*.[hly]} OBJS_DEPEND_GUESS.${_S:${OBJS_SRCS_FILTER:ts:}}.nossppico+= ${_S} .endfor .endif .if defined(HAS_TESTS) MAKE+= MK_MAKE_CHECK_USE_SANDBOX=yes SUBDIR_TARGETS+= check TESTS_LD_LIBRARY_PATH+= ${.OBJDIR} .endif .include .include .include .include Index: head/share/mk/bsd.opts.mk =================================================================== --- head/share/mk/bsd.opts.mk (revision 340185) +++ head/share/mk/bsd.opts.mk (revision 340186) @@ -1,110 +1,111 @@ # $FreeBSD$ # # Option file for src builds. # # Users define WITH_FOO and WITHOUT_FOO on the command line or in /etc/src.conf # and /etc/make.conf files. These translate in the build system to MK_FOO={yes,no} # with (usually) sensible defaults. # # Makefiles must include bsd.opts.mk after defining specific MK_FOO options that # are applicable for that Makefile (typically there are none, but sometimes there # are exceptions). Recursive makes usually add MK_FOO=no for options that they wish # to omit from that make. # # Makefiles must include bsd.mkopt.mk before they test the value of any MK_FOO # variable. # # Makefiles may also assume that this file is included by bsd.own.mk should it # need variables defined there prior to the end of the Makefile where # bsd.{subdir,lib.bin}.mk is traditionally included. # # The old-style YES_FOO and NO_FOO are being phased out. No new instances of them # should be added. Old instances should be removed since they were just to # bridge the gap between FreeBSD 4 and FreeBSD 5. # # Makefiles should never test WITH_FOO or WITHOUT_FOO directly (although an # exception is made for _WITHOUT_SRCONF which turns off this mechanism # completely). # .if !target(____) ____: .if !defined(_WITHOUT_SRCCONF) # # Define MK_* variables (which are either "yes" or "no") for users # to set via WITH_*/WITHOUT_* in /etc/src.conf and override in the # make(1) environment. # These should be tested with `== "no"' or `!= "no"' in makefiles. # The NO_* variables should only be set by makefiles for variables # that haven't been converted over. # # Only these options are used by bsd.*.mk. KERBEROS and OPENSSH are # unfortunately needed to support statically linking the entire # tree. su(1) wouldn't link since it depends on PAM which depends on # ssh libraries when building with OPENSSH, and likewise for KERBEROS. # All other variables used to build /usr/src live in src.opts.mk # and variables from both files are documented in src.conf(5). __DEFAULT_YES_OPTIONS = \ ASSERT_DEBUG \ DEBUG_FILES \ DOCCOMPRESS \ INCLUDES \ INSTALLLIB \ KERBEROS \ MAKE_CHECK_USE_SANDBOX \ MAN \ MANCOMPRESS \ NIS \ NLS \ OPENSSH \ PROFILE \ SSP \ SYMVER \ TESTS \ TOOLCHAIN \ WARNS __DEFAULT_NO_OPTIONS = \ + BIND_NOW \ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ RETPOLINE \ STALE_STAGED __DEFAULT_DEPENDENT_OPTIONS = \ MAKE_CHECK_USE_SANDBOX/TESTS \ STAGING_MAN/STAGING \ STAGING_PROG/STAGING \ STALE_STAGED/STAGING \ .include # # Supported NO_* options (if defined, MK_* will be forced to "no", # regardless of user's setting). # # These are transitional and will disappaer in the FreeBSD 12. # .for var in \ CTF \ DEBUG_FILES \ INSTALLLIB \ MAN \ PROFILE \ WARNS .if defined(NO_${var}) .warning "NO_${var} is defined, but deprecated. Please use MK_${var}=no instead." MK_${var}:=no .endif .endfor .include .endif # !_WITHOUT_SRCCONF .endif Index: head/share/mk/bsd.prog.mk =================================================================== --- head/share/mk/bsd.prog.mk (revision 340185) +++ head/share/mk/bsd.prog.mk (revision 340186) @@ -1,325 +1,329 @@ # from: @(#)bsd.prog.mk 5.26 (Berkeley) 6/25/91 # $FreeBSD$ .include .include .SUFFIXES: .out .o .bc .c .cc .cpp .cxx .C .m .y .l .ll .ln .s .S .asm # XXX The use of COPTS in modern makefiles is discouraged. .if defined(COPTS) .warning ${.CURDIR}: COPTS should be CFLAGS. CFLAGS+=${COPTS} .endif .if ${MK_ASSERT_DEBUG} == "no" CFLAGS+= -DNDEBUG NO_WERROR= .endif .if defined(DEBUG_FLAGS) CFLAGS+=${DEBUG_FLAGS} CXXFLAGS+=${DEBUG_FLAGS} .if ${MK_CTF} != "no" && ${DEBUG_FLAGS:M-g} != "" CTFFLAGS+= -g .endif .endif .if defined(PROG_CXX) PROG= ${PROG_CXX} .endif .if !empty(LDFLAGS:M-Wl,*--oformat,*) || !empty(LDFLAGS:M-static) MK_DEBUG_FILES= no .endif +# ELF hardening knobs +.if ${MK_BIND_NOW} != "no" +LDFLAGS+= -Wl,-znow +.endif .if ${MK_RETPOLINE} != "no" CFLAGS+= -mretpoline CXXFLAGS+= -mretpoline LDFLAGS+= -Wl,-zretpolineplt .endif .if defined(CRUNCH_CFLAGS) CFLAGS+=${CRUNCH_CFLAGS} .else .if ${MK_DEBUG_FILES} != "no" && empty(DEBUG_FLAGS:M-g) && \ empty(DEBUG_FLAGS:M-gdwarf-*) CFLAGS+= ${DEBUG_FILES_CFLAGS} CTFFLAGS+= -g .endif .endif .if !defined(DEBUG_FLAGS) STRIP?= -s .endif .if defined(NO_ROOT) .if !defined(TAGS) || ! ${TAGS:Mpackage=*} TAGS+= package=${PACKAGE:Uruntime} .endif TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .endif .if defined(NO_SHARED) && (${NO_SHARED} != "no" && ${NO_SHARED} != "NO") LDFLAGS+= -static .endif .if ${MK_DEBUG_FILES} != "no" PROG_FULL=${PROG}.full # Use ${DEBUGDIR} for base system debug files, else .debug subdirectory .if defined(BINDIR) && (\ ${BINDIR} == "/bin" ||\ ${BINDIR:C%/libexec(/.*)?%/libexec%} == "/libexec" ||\ ${BINDIR} == "/sbin" ||\ ${BINDIR:C%/usr/(bin|bsdinstall|libexec|lpr|sendmail|sm.bin|sbin|tests)(/.*)?%/usr/bin%} == "/usr/bin" ||\ ${BINDIR} == "/usr/lib" \ ) DEBUGFILEDIR= ${DEBUGDIR}${BINDIR} .else DEBUGFILEDIR?= ${BINDIR}/.debug .endif .if !exists(${DESTDIR}${DEBUGFILEDIR}) DEBUGMKDIR= .endif .else PROG_FULL= ${PROG} .endif .if defined(PROG) PROGNAME?= ${PROG} .if defined(SRCS) OBJS+= ${SRCS:N*.h:${OBJS_SRCS_FILTER:ts:}:S/$/.o/g} # LLVM bitcode / textual IR representations of the program BCOBJS+=${SRCS:N*.[hsS]:N*.asm:${OBJS_SRCS_FILTER:ts:}:S/$/.bco/g} LLOBJS+=${SRCS:N*.[hsS]:N*.asm:${OBJS_SRCS_FILTER:ts:}:S/$/.llo/g} .if target(beforelinking) beforelinking: ${OBJS} ${PROG_FULL}: beforelinking .endif ${PROG_FULL}: ${OBJS} .if defined(PROG_CXX) ${CXX:N${CCACHE_BIN}} ${CXXFLAGS:N-M*} ${LDFLAGS} -o ${.TARGET} \ ${OBJS} ${LDADD} .else ${CC:N${CCACHE_BIN}} ${CFLAGS:N-M*} ${LDFLAGS} -o ${.TARGET} ${OBJS} \ ${LDADD} .endif .if ${MK_CTF} != "no" ${CTFMERGE} ${CTFFLAGS} -o ${.TARGET} ${OBJS} .endif .else # !defined(SRCS) .if !target(${PROG}) .if defined(PROG_CXX) SRCS= ${PROG}.cc .else SRCS= ${PROG}.c .endif # Always make an intermediate object file because: # - it saves time rebuilding when only the library has changed # - the name of the object gets put into the executable symbol table instead of # the name of a variable temporary object. # - it's useful to keep objects around for crunching. OBJS+= ${PROG}.o BCOBJS+= ${PROG}.bc LLOBJS+= ${PROG}.ll CLEANFILES+= ${PROG}.o ${PROG}.bc ${PROG}.ll .if target(beforelinking) beforelinking: ${OBJS} ${PROG_FULL}: beforelinking .endif ${PROG_FULL}: ${OBJS} .if defined(PROG_CXX) ${CXX:N${CCACHE_BIN}} ${CXXFLAGS:N-M*} ${LDFLAGS} -o ${.TARGET} \ ${OBJS} ${LDADD} .else ${CC:N${CCACHE_BIN}} ${CFLAGS:N-M*} ${LDFLAGS} -o ${.TARGET} ${OBJS} \ ${LDADD} .endif .if ${MK_CTF} != "no" ${CTFMERGE} ${CTFFLAGS} -o ${.TARGET} ${OBJS} .endif .endif # !target(${PROG}) .endif # !defined(SRCS) .if ${MK_DEBUG_FILES} != "no" ${PROG}: ${PROG_FULL} ${PROGNAME}.debug ${OBJCOPY} --strip-debug --add-gnu-debuglink=${PROGNAME}.debug \ ${PROG_FULL} ${.TARGET} ${PROGNAME}.debug: ${PROG_FULL} ${OBJCOPY} --only-keep-debug ${PROG_FULL} ${.TARGET} .endif .if defined(LLVM_LINK) ${PROG_FULL}.bc: ${BCOBJS} ${LLVM_LINK} -o ${.TARGET} ${BCOBJS} ${PROG_FULL}.ll: ${LLOBJS} ${LLVM_LINK} -S -o ${.TARGET} ${LLOBJS} CLEANFILES+= ${PROG_FULL}.bc ${PROG_FULL}.ll .endif # defined(LLVM_LINK) .if ${MK_MAN} != "no" && !defined(MAN) && \ !defined(MAN1) && !defined(MAN2) && !defined(MAN3) && \ !defined(MAN4) && !defined(MAN5) && !defined(MAN6) && \ !defined(MAN7) && !defined(MAN8) && !defined(MAN9) MAN= ${PROG}.1 MAN1= ${MAN} .endif .endif # defined(PROG) .if defined(_SKIP_BUILD) all: .else all: ${PROG} ${SCRIPTS} .if ${MK_MAN} != "no" all: all-man .endif .endif .if defined(PROG) CLEANFILES+= ${PROG} ${PROG}.bc ${PROG}.ll .if ${MK_DEBUG_FILES} != "no" CLEANFILES+= ${PROG_FULL} ${PROGNAME}.debug .endif .endif .if defined(OBJS) CLEANFILES+= ${OBJS} ${BCOBJS} ${LLOBJS} .endif .include .if defined(PROG) .if !defined(NO_EXTRADEPEND) _EXTRADEPEND: .if defined(LDFLAGS) && !empty(LDFLAGS:M-nostdlib) .if defined(DPADD) && !empty(DPADD) echo ${PROG_FULL}: ${DPADD} >> ${DEPENDFILE} .endif .else echo ${PROG_FULL}: ${LIBC} ${DPADD} >> ${DEPENDFILE} .if defined(PROG_CXX) .if ${COMPILER_TYPE} == "clang" && empty(CXXFLAGS:M-stdlib=libstdc++) echo ${PROG_FULL}: ${LIBCPLUSPLUS} >> ${DEPENDFILE} .else echo ${PROG_FULL}: ${LIBSTDCPLUSPLUS} >> ${DEPENDFILE} .endif .endif .endif .endif # !defined(NO_EXTRADEPEND) .endif .if !target(install) .if defined(PRECIOUSPROG) .if !defined(NO_FSCHG) INSTALLFLAGS+= -fschg .endif INSTALLFLAGS+= -S .endif _INSTALLFLAGS:= ${INSTALLFLAGS} .for ie in ${INSTALLFLAGS_EDIT} _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} .endfor .if !target(realinstall) && !defined(INTERNALPROG) realinstall: _proginstall .ORDER: beforeinstall _proginstall _proginstall: .if defined(PROG) ${INSTALL} ${TAG_ARGS} ${STRIP} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \ ${_INSTALLFLAGS} ${PROG} ${DESTDIR}${BINDIR}/${PROGNAME} .if ${MK_DEBUG_FILES} != "no" .if defined(DEBUGMKDIR) ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},debug} -d ${DESTDIR}${DEBUGFILEDIR}/ .endif ${INSTALL} ${TAG_ARGS:D${TAG_ARGS},debug} -o ${BINOWN} -g ${BINGRP} -m ${DEBUGMODE} \ ${PROGNAME}.debug ${DESTDIR}${DEBUGFILEDIR}/${PROGNAME}.debug .endif .endif .endif # !target(realinstall) .if defined(SCRIPTS) && !empty(SCRIPTS) realinstall: _scriptsinstall .ORDER: beforeinstall _scriptsinstall SCRIPTSDIR?= ${BINDIR} SCRIPTSOWN?= ${BINOWN} SCRIPTSGRP?= ${BINGRP} SCRIPTSMODE?= ${BINMODE} STAGE_AS_SETS+= scripts stage_as.scripts: ${SCRIPTS} FLAGS.stage_as.scripts= -m ${SCRIPTSMODE} STAGE_FILES_DIR.scripts= ${STAGE_OBJTOP} .for script in ${SCRIPTS} .if defined(SCRIPTSNAME) SCRIPTSNAME_${script:T}?= ${SCRIPTSNAME} .else SCRIPTSNAME_${script:T}?= ${script:T:R} .endif SCRIPTSDIR_${script:T}?= ${SCRIPTSDIR} SCRIPTSOWN_${script:T}?= ${SCRIPTSOWN} SCRIPTSGRP_${script:T}?= ${SCRIPTSGRP} SCRIPTSMODE_${script:T}?= ${SCRIPTSMODE} STAGE_AS_${script:T}= ${SCRIPTSDIR_${script:T}}/${SCRIPTSNAME_${script:T}} _scriptsinstall: _SCRIPTSINS_${script:T} _SCRIPTSINS_${script:T}: ${script} ${INSTALL} ${TAG_ARGS} -o ${SCRIPTSOWN_${.ALLSRC:T}} \ -g ${SCRIPTSGRP_${.ALLSRC:T}} -m ${SCRIPTSMODE_${.ALLSRC:T}} \ ${.ALLSRC} \ ${DESTDIR}${SCRIPTSDIR_${.ALLSRC:T}}/${SCRIPTSNAME_${.ALLSRC:T}} .endfor .endif NLSNAME?= ${PROG} .include .include .include .include LINKOWN?= ${BINOWN} LINKGRP?= ${BINGRP} LINKMODE?= ${BINMODE} .include .if ${MK_MAN} != "no" realinstall: maninstall .ORDER: beforeinstall maninstall .endif .endif # !target(install) .if ${MK_MAN} != "no" .include .endif .if defined(HAS_TESTS) MAKE+= MK_MAKE_CHECK_USE_SANDBOX=yes SUBDIR_TARGETS+= check TESTS_LD_LIBRARY_PATH+= ${.OBJDIR} TESTS_PATH+= ${.OBJDIR} .endif .if defined(PROG) OBJS_DEPEND_GUESS+= ${SRCS:M*.h} .endif .include .include .include .include Index: head/tools/build/options/WITHOUT_BIND_NOW =================================================================== --- head/tools/build/options/WITHOUT_BIND_NOW (nonexistent) +++ head/tools/build/options/WITHOUT_BIND_NOW (revision 340186) @@ -0,0 +1,5 @@ +.\" $FreeBSD$ +Do not build all binaries with the +.Dv DF_BIND_NOW +flag set. +Run-time relocation processing will be performed on demand. Property changes on: head/tools/build/options/WITHOUT_BIND_NOW ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/tools/build/options/WITH_BIND_NOW =================================================================== --- head/tools/build/options/WITH_BIND_NOW (nonexistent) +++ head/tools/build/options/WITH_BIND_NOW (revision 340186) @@ -0,0 +1,5 @@ +.\" $FreeBSD$ +Build all binaries with the +.Dv DF_BIND_NOW +flag set to indicate that the run-time loader should perform all relocation +processing at process startup rather than on demand. Property changes on: head/tools/build/options/WITH_BIND_NOW ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property