USE_SSP= / ProPolice

[morbit]

What happened to USE_SSP= for ports tree?

http://www.freebsd.org/news/status/report-2008-01-2008-03.html#ProPolice-support-for-FreeBSD

Why ProPolice isn't used by default for ports (or is it)?

I'm currently thinking about just adding -fstack-protector-all to ports flags.

 

[DutchDaemon]

SSP is the default (in -STABLE, at least) in building the FreeBSD source tree (see WITHOUT_SSP in src.conf(5)), but I don't know whether it extends to port builds as well. There's no mention of it in make.conf(5) or anything under /usr/ports/Mk.

http://ivoras.sharanet.org/freebsd/freebsd8.html mentions:

ProPolice SSP (stack-smashing protection)

Status: Committed to -CURRENT
Will appear in 8.0: sure
Author: Jeremie Le Hen

ProPolice helps prevent exploits that use stack-based buffer overflows by setting a random integer (called the "canary") in the stack right before the return address. It is set in the function's prologue and verified during the epilogue; if it has changed, then a buffer overflow has occured and the program commits suicide by killing itself with SIGABRT (or panic() in case it's the kernel). Both userland and kernel may be protected.

No separate mention of port builds though.

 

[john_doe]

ports/138228

 

[DutchDaemon]

Well, all that's left is to contact Jeremie to see where this stands, I guess.

 

[morbit]

Or just to manually add appropriate flags, as I said before.