diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk index 99361c487265..5f4b6abf3718 100644 --- a/Mk/Features/bind_now.mk +++ b/Mk/Features/bind_now.mk @@ -1,10 +1,15 @@ # BIND_NOW Support +# +# When generating an executable or shared library, mark it to tell the dynamic +# linker to resolve all symbols when the program is started, or when the shared +# library is loaded by dlopen, instead of deferring function call resolution to +# the point when the function is first called. .if !defined(_BIND_NOW_MK_INCLUDED) _BIND_NOW_MK_INCLUDED= yes BIND_NOW_Include_MAINTAINER= portmgr@FreeBSD.org . if !defined(BIND_NOW_UNSAFE) LDFLAGS+= -Wl,-znow . endif .endif diff --git a/Mk/Features/pie.mk b/Mk/Features/pie.mk index 06174b403c31..7ecefa9eb611 100644 --- a/Mk/Features/pie.mk +++ b/Mk/Features/pie.mk @@ -1,19 +1,28 @@ # PIE Support +# +# Produce a Position-Independent Executable (PIE) instead of a “normal” +# fixed‐address ELF. +# A PIE is an executable whose code sections are compiled and linked so that, +# at runtime, they can be loaded at any base address in memory. +# +# Because it can be loaded at unpredictable addresses, PIE enables full Address +# Space Layout Randomization (ASLR) for your main executable—making certain +# classes of memory‐corruption exploits much harder. .if !defined(_PIE_MK_INCLUDED) _PIE_MK_INCLUDED= yes PIE_Include_MAINTAINER= portmgr@FreeBSD.org . if !defined(PIE_UNSAFE) . if defined(_INCLUDE_USES_CMAKE_MK) CMAKE_ARGS+= -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=true . else PIE_CFLAGS?= -fPIE -fPIC CFLAGS+= ${PIE_CFLAGS} CXXFLAGS+= ${PIE_CFLAGS} LDFLAGS+= -pie STATIC_PIE_ARGS+= -static-pie . endif . endif .endif diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk index 6ceb68d5d668..8074ce09edd7 100644 --- a/Mk/Features/relro.mk +++ b/Mk/Features/relro.mk @@ -1,10 +1,15 @@ # RELRO Support +# +# Tells the linker to emit RELocation Read-Only (RELRO) protection for certain +# sections of your ELF file. In short, it makes parts of the binary read-only +# after relocations have been applied at program startup, helping to prevent +# GOT- and PLT-based overwrite attacks. .if !defined(_RELRO_MK_INCLUDED) _RELRO_MK_INCLUDED= yes RELRO_Include_MAINTAINER= portmgr@FreeBSD.org . if !defined(RELRO_UNSAFE) LDFLAGS+= -Wl,-zrelro . endif .endif diff --git a/Mk/Features/ssp.mk b/Mk/Features/ssp.mk index 4213e6d668a6..631104da9f6c 100644 --- a/Mk/Features/ssp.mk +++ b/Mk/Features/ssp.mk @@ -1,14 +1,22 @@ # SSP Support +# +# The -fstack-protector-strong flag enables “stack smashing” protection on a +# wider set of functions than the default -fstack-protector, but without the +# full performance cost of -fstack-protector-all. Under the hood it inserts a +# small “canary” value on the stack just before the saved return address; at +# function exit it checks that the canary hasn’t been overwritten by a buffer +# overflow. If it has been clobbered, the runtime aborts the program rather +# than returning into corrupted code. .if !defined(_SSP_MK_INCLUDED) _SSP_MK_INCLUDED= yes SSP_Include_MAINTAINER= portmgr@FreeBSD.org . if !defined(SSP_UNSAFE) && \ (! ${ARCH:Mmips*}) # Overridable as a user may want to use -fstack-protector-all SSP_CFLAGS?= -fstack-protector-strong CFLAGS+= ${SSP_CFLAGS} LDFLAGS+= ${SSP_CFLAGS} . endif .endif