Mk/Features: Add features for fortify, zeroregs and stack autoinit.

Those 3 features for ports go along with the cooresponding features from
the basesystem (some only availabe in -current).

The options you can put into make.conf for the ports collections are:

WITH_FORTIFY=yes
    This enables mitigations of common memory safety issues, such as buffer
    overflows, by adding checks to functions like memcpy, strcpy, sprintf,
    and others when the compiler can determine the size of the destination
    buffer at compile time.

WITH_STACK_AUTOINIT=yes
    This enables a compiler specific option to automatically initialize
    local (automatic) variables to prevent the use of uninitialized memory.

WITH_ZEROREGS=yes
    Zero call-used registers at function return to increase program
    security by either mitigating Return-Oriented Programming (ROP)
    attacks or preventing information leakage through registers.
    This depends upon support from the compiler for a given architecture.
    This is disabled for python ports, currently there are issues.

Approved by:	portmgr (mat)
PR:		284270

1 files changed, 18 insertions, 0 deletions

diff --git a/Mk/Features/fortify.mk b/Mk/Features/fortify.mk
new file mode 100644
index 000000000000..2e43ca98242f
--- /dev/null
+++ b/Mk/Features/fortify.mk
@@ -0,0 +1,18 @@
+# This enables mitigations of common memory safety issues, such as buffer
+# overflows, by adding checks to functions like memcpy, strcpy, sprintf,
+# and others when the compiler can determine the size of the destination
+# buffer at compile time.
+#
+# Depends opon the FORTIFY_SOURCE implementation in the basesystem.
+
+.if !defined(_FORTIFY_MK_INCLUDED)
+_FORTIFY_MK_INCLUDED=	yes
+FORTIFY_Include_MAINTAINER=	netchild@FreeBSD.org
+
+.  if !defined(FORTIFY_UNSAFE)
+FORTIFY_SOURCE?=2
+FORTIFY_CFLAGS?=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+CFLAGS+=	${FORTIFY_CFLAGS}
+CXXFLAGS+=	${FORTIFY_CFLAGS}
+.  endif
+.endif