From 65167272a3ba52dc4d032a1c60a9ff030408047d Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Wed, 2 Aug 2017 01:01:58 +0100
Subject: first hardened test

---
 core/conf/pkgmk.conf   |  9 ++++++---
 core/conf/prt-get.conf | 19 +++++++++----------
 core/conf/sysctl.conf  |  2 +-
 3 files changed, 16 insertions(+), 14 deletions(-)

(limited to 'core/conf')

diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 4ef372e..6949fa7 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,9 +2,10 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -march=native -mtune=native"
+export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
 export CXXFLAGS="${CFLAGS}"
-
+export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 export MAKEFLAGS="-j4"
 
 case ${PKGMK_ARCH} in
@@ -22,7 +23,9 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index 0504d3e..e210ca8 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -5,20 +5,19 @@
 # note: the order matters: the package found first is used
 prtdir /usr/ports/core
 prtdir /usr/ports/opt
+prtdir /usr/ports/contrib
+prtdir /usr/ports/c9-ports
 prtdir /usr/ports/xorg
 
+# 6c37 team provides a collection with freetype-iu, fontconfig-iu
+# and cairo-iu ports.
+
 # the following line enables the multilib compat-32 collection
 #prtdir /usr/ports/compat-32
 
 # the following line enables the user maintained contrib collection
-prtdir /usr/ports/contrib
-
-# ports described on this documentation
-#prtdir /usr/ports/c9-ports
-
-# 6c37 team provides a collection with freetype-iu, fontconfig-iu
-# and cairo-iu ports.
-#prtdir /usr/ports/6c37
+prtdir /usr/ports/6c37-dropin
+prtdir /usr/ports/6c37
 
 ### use mypackage form local directory
 # prtdir /home/packages/build:mypackage
@@ -38,7 +37,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-#preferhigher yes      # (yes|no)
+preferhigher no     # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -51,7 +50,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
+makecommand      sudo -H -u pkgmk -g users fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index c421e59..4606791 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -374,7 +374,7 @@ kernel.grsecurity.tpe_gid = 100
 #  users on the system.  If the sysctl option is enabled, a sysctl option
 #  with name "tpe_invert" is created.  Unlike other sysctl options, this
 #  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_invert = 0
 
 #  If you say Y here, all non-root users will be covered under
 #  a weaker TPE restriction.  This is separate from, and in addition to,
-- 
cgit 1.4.1-2-gfad0