Le 2016-08-07 22:20, Christian Weisgerber a écrit :
OpenBSD is increasingly mandating W^X. What does that mean? Memory
can either be mapped writable, or it can be executable, but not
both (Write xor eXecute). This is a security concern. Without
W^X, an attacker can load their own code into memory and then execute
it. W^X protects against this.
Now, obviously getting rid of W^X violations has to be the end goal,
but that will take time and effort. In the meantime, offenders
*MUST* be marked wxneeded. This is done by linking the executable
with "ld -z wxneeded". When linking is performed through cc, which
is the usual case, you add "-Wl,-z,wxneeded" to the linking command
line. That's it.
We can draw up a list of affected ports, but it isn't exactly hard
to notice. Some ports already need wxneeded to build. Presumably
there are a few others where it will only show up at run time.
Hello,
is that the work needed for each port reported by W^X violation ?
mongo(68997): mmap W^X violation
Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/mongodb/Makefile,v
retrieving revision 1.22
diff -u -p -r1.22 Makefile
--- Makefile 20 Jun 2016 09:07:43 -0000 1.22
+++ Makefile 8 Aug 2016 14:25:29 -0000
@@ -40,7 +40,7 @@ MODSCONS_ENV = CC="${CC}" \
CXX="${CXX}" \
CCFLAGS="${CFLAGS} -DBOOST_NO_USER_CONFIG" \
CXXFLAGS="${CXXFLAGS}" \
- LINKFLAGS="${LDFLAGS}" \
+ LINKFLAGS="${LDFLAGS} -z wxneeded" \
CPPPATH="${LOCALBASE}/include" \
LIBPATH="${LOCALBASE}/lib"
MODSCONS_FLAGS += --prefix="${PREFIX}" \
Kind regards
