diff options
Diffstat (limited to 'linux/conf/pkgmk.conf.harden')
| -rw-r--r-- | linux/conf/pkgmk.conf.harden | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/linux/conf/pkgmk.conf.harden b/linux/conf/pkgmk.conf.harden new file mode 100644 index 0000000..3bf88b1 --- /dev/null +++ b/linux/conf/pkgmk.conf.harden @@ -0,0 +1,117 @@ +# +# /etc/pkgmk.conf: pkgmk(8) configuration +# +# ONLY FOR x86 64 PROCESSORS +CUSTOMVERSION=8 + +W_CFLAGS="-Wall -Wextra -Wno-inline -Wundef -Wformat=2 -Wformat-security -Wformat-nonliteral -Wlogical-op -Wsign-compare -Wmissing-include-dirs -Wold-style-definition -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wsuggest-attribute=noreturn -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wmissing-declarations -Wmissing-noreturn -Wshadow -Wendif-labels -Wstrict-aliasing=2 -Wwrite-strings -Wno-long-long -Wno-overlength-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Werror=overflow -Wdate-time -Wnested-externs" + +#-ffast-math -fno-common -fdiagnostics-show-option -fno-strict-aliasing -fvisibility=hidden -ffunction-sections -fdata-sections -ffat-lto-objects +H_CFLAGS="-g -O1 -march=x86-64 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" + +CFLAGS="${W_CFLAGS} ${H_CFLAGS} -fPIC -fPIE -pie" +CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" +CPPFLAGS="-O1 -Wp,-D_FORTIFY_SOURCE=2" +#--as-needed -Wl,--no-undefined -Wl,--gc-sections -Wl +LDFLAGS="-fPIC -fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" + + +PIC_CFLAGS="${W_FLAGS} ${H_CFLAGS} -fPIC" +PIC_CXXFLAGS="${PIC_CFLAGS} -D_FORTIFY_SOURCE=2" +PIC_LDFLAGS="-fPIC -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" + +# local compile only +export JOBS=$(nproc) +export MAKEFLAGS="-j $JOBS" + +# ccache settings +export PATH="/usr/lib/ccache/:$PATH" +export CCACHE_DIR="/usr/ports/ccache" +export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" + +# compile using ccache and distcc +export CCACHE_PREFIX="distcc" +#export DISTCC_HOSTS="localhost/4 xborg/4 c11/2" +export DISTCC_HOSTS="ports/4 localhost/2" + +## compile using distcc without ccache +#export PATH="/usr/lib/distcc/:$PATH" +#export PUMP_BUILD=yes + +# distcc settings +export JOBS=$(/usr/bin/distcc -j 2> /dev/null) +export DISTCC_DIR="/usr/ports/distcc" +export MAKEFLAGS="-j ${JOBS}" +export SCONSFLAGS="$MAKEFLAGS" + +case ${name} in + + "keyutils") + export CFLAGS=" ${H_CFLAGS} -fPIC -fPIE -pie -g -O1 -march=x86-64 -pipe" + export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" + ;; + "grub2") + export CFLAGS="${W_CFLAGS} -g -O1 -march=x86-64 -pipe" + export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" + export LDFLAGS="" + ;; + "grub2-efi") + export CFLAGS="${W_CFLAGS} -g -O1 -march=x86-64 -pipe" + export CXXFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" + export LDFLAGS="" + ;; + "gcc") + export CFLAGS="-g -O2 -march=x86-64 -pipe -fPIC -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" + export CXXFLAGS="${CFLAGS}" + export CPPFLAGS="${H_CPPFLAGS}" + export LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" + ;; + "glibc") + export CFLAGS="${CFLAGS} -fno-plt -fstack-check" + export CXXFLAGS="${CFLAGS}" + export CPPFLAGS="-O1" + export LDFLAGS="" + ;; + "libcap") + export CFLAGS="${PIC_CFLAGS}" + export CXXFLAGS="${PIC_CXXFLAGS}" + export LDFLAGS="${PIC_LDFLAGS}" + ;; + "mdadm") + export CFLAGS="${PIC_CFLAGS}" + export CXXFLAGS="${PIC_CXXFLAGS}" + export LDFLAGS="${PIC_LDFLAGS}" + ;; + "openssl") + export CFLAGS="${PIC_CFLAGS}" + export CXXFLAGS="${PIC_CXXFLAGS}" + export LDFLAGS="${PIC_LDFLAGS}" + ;; +esac + +case ${PKGMK_ARCH} in + "64"|"") + ;; + *) + echo "Unknown architecture selected! Exiting." + exit 1 + ;; +esac + +#PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/) +#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/) +PKGMK_SOURCE_MIRRORS=(http://tribu.semdestino.org/mirror/distfiles/ http://tribu.semdestino.org/mirror/archive/distfiles/) +PKGMK_SOURCE_DIR="/usr/ports/distfiles" +PKGMK_PACKAGE_DIR="/usr/ports/packages" +PKGMK_WORK_DIR="/usr/ports/work/$name" +# PKGMK_DOWNLOAD="no" +# PKGMK_IGNORE_FOOTPRINT="no" +# PKGMK_IGNORE_NEW="no" +# PKGMK_NO_STRIP="no" +# PKGMK_DOWNLOAD_PROG="wget" +# PKGMK_WGET_OPTS="" +# PKGMK_CURL_OPTS="" +# PKGMK_COMPRESSION_MODE="gz" +#PKGMK_UP_TO_DATE=yes + +# End of file |