Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about arch security, gentoo security, gcc instrumentation-options and glibc configuring and compiling. Edit /etc/pkgmk.conf;
export CPPFLAGS="-D_FORTIFY_SOURCE=2"
export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS="-z relro"
Ports in core collection that need to be changed in order to build with pkgmk harden configuration.
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
../$name-${version:0:4}/configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-headers=$PKG/usr/include \
--enable-kernel=3.12 \
--enable-add-ons \
--enable-static-nss \
--disable-profile \
--disable-werror \
--without-gd \
--enable-obsolete-rpc \
--enable-multi-arch \
--enable-stackguard-randomization \
--enable-stack-protector=strong
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
Replace openssl by libressl, view if libressl port from 6c37-dropin is updated with latest libressl upstream. First install libressl to ensure it gets all the sources;
$ sudo prt-get depinst libressl
After complaining about openssl files remove openssl;
$ sudo prt-get remove openssl
$ sudo prt-get depinst libressl
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
This is part of the Hive System Documentation. Copyright (C) 2018 Hive Team. See the file Gnu Free Documentation License for copying conditions.