Created attachment 256911 [details] Add new Features "zeroreg" and "stack_autoinit". stack_autoinit is like OPT_INIT_ALL=zero for src.conf (zeros unitialized variables). zeroreg is the same as https://cgit.freebsd.org/src/commit/?id=2a44cccd404d94c273c78e279df3fdc5531d25a2
Created attachment 256912 [details] zeroreg feature add zeroreg file
Created attachment 256913 [details] stack_autoinit feature
Created attachment 256914 [details] do not use zeroregs with python ports
I have both running on a jail host with postgresql/mysql/postfix/dovecot/bind/unbound/adguard/nginx/php/java/...
I just noticed that for src I used ZEROREGS (committed) and for ports I used ZEROREG. For an approved commit I would use with S to be consistent with src.
Are you are you using "mailto:" ? Other that this looks ok to me.
Created attachment 258891 [details] Add new Features "fortify", "stack_autoinit" and "zeroregs"
Created attachment 258892 [details] fortify feature
Created attachment 258893 [details] do not use zeroregs with python ports
Created attachment 258894 [details] stack_autoinit feature
Created attachment 258895 [details] zeroregs feature
(In reply to Baptiste Daroussin from comment #6) Removed the mailto, renamed from zerorg to zeroregs to match src as already commented, and added the fortify feature (also in use since a while in my local builds). Good to commit?
Is there a complete patch somewhere ?
Created attachment 260685 [details] all in one patch - contains all of the other attachments
(In reply to Mathieu Arnold from comment #13) Attachments 1+3 are small patches to add the features to the list and to mark the python ports zerorgs-unsafe. The other attachments are new files for the features directory. I added the "all in one patch" which contains all of the other attachments.
I have no idea what those three features do exactly. If possible, could you add a few lines of comment explaining what they are would be great. By "what it does", I don't mean "add foo to CFLAGS" or "brush a thin coat of egg white on the crust" but more like "egg whites help the crust develop a deep gold colour" I know some features don't explain anything, and I would consider it a bug :-) Other than that, I trust bapt's judgement, looks ok to me too :-)
Created attachment 260687 [details] all in one patch Add descriptions of what it does instead of relying on knowledge of the basesystem features.
(In reply to Mathieu Arnold from comment #16) Description added to the two features which didn't had them.
Thank you, feel free to commit :-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7a489e95c51f47f5e25a5613e375ec000618e52a commit 7a489e95c51f47f5e25a5613e375ec000618e52a Author: Alexander Leidinger <netchild@FreeBSD.org> AuthorDate: 2025-05-24 18:17:24 +0000 Commit: Alexander Leidinger <netchild@FreeBSD.org> CommitDate: 2025-05-24 18:21:13 +0000 Mk/Features: Add features for fortify, zeroregs and stack autoinit. Those 3 features for ports go along with the cooresponding features from the basesystem (some only availabe in -current). The options you can put into make.conf for the ports collections are: WITH_FORTIFY=yes This enables mitigations of common memory safety issues, such as buffer overflows, by adding checks to functions like memcpy, strcpy, sprintf, and others when the compiler can determine the size of the destination buffer at compile time. WITH_STACK_AUTOINIT=yes This enables a compiler specific option to automatically initialize local (automatic) variables to prevent the use of uninitialized memory. WITH_ZEROREGS=yes Zero call-used registers at function return to increase program security by either mitigating Return-Oriented Programming (ROP) attacks or preventing information leakage through registers. This depends upon support from the compiler for a given architecture. This is disabled for python ports, currently there are issues. Approved by: portmgr (mat) PR: 284270 Mk/Features/fortify.mk (new) | 18 ++++++++++++++++++ Mk/Features/stack_autoinit.mk (new) | 23 +++++++++++++++++++++++ Mk/Features/zeroregs.mk (new) | 28 ++++++++++++++++++++++++++++ Mk/Uses/python.mk | 2 ++ Mk/bsd.port.mk | 3 ++- 5 files changed, 73 insertions(+), 1 deletion(-)