Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about arch security, gentoo security, gcc instrumentation-options and glibc configuring and compiling. Edit /etc/pkgmk.conf;
export CPPFLAGS="-D_FORTIFY_SOURCE=2"
export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS="-z relro"
Above should compile most of the packages, for more "restrict" and other flags combinations check pkgmk.conf.handen.
Ports in core collection that need to be changed in order to build with pkgmk harden configuration.
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
../$name-${version:0:4}/configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-headers=$PKG/usr/include \
--enable-kernel=3.12 \
--enable-add-ons \
--enable-static-nss \
--disable-profile \
--disable-werror \
--without-gd \
--enable-obsolete-rpc \
--enable-multi-arch \
--enable-stackguard-randomization \
--enable-stack-protector=strong
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
Replace openssl by libressl, view if libressl port from 6c37-dropin is updated with latest libressl upstream. First install libressl to ensure it gets all the sources;
$ sudo prt-get depinst libressl
After complaining about openssl files remove openssl;
$ sudo prt-get remove openssl
$ sudo prt-get depinst libressl
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
This is part of the Tribu System Documentation. Copyright (C) 2020 Tribu Team. See the file Gnu Free Documentation License for copying conditions.