We have now enabled PIE, RELRO, and BIND_NOW for the whole ports tree. This is a huge leap forwards for HardenedBSD. We now have all of base compiled with PIE + RELRO + BIND_NOW, and now a good portion of ports as well. A good portion of ports should work with PIE, RELRO, and BIND_NOW. In those cases where ports won't compile or run with PIE, check for NOPIE. In those cases where ports won't compile or run with RELRO + BIND_NOW, check for NORELRO. Please note that some ports ignore custom CFLAGS/CXXFLAGS/LDFLAGS and as such will not compile with PIE + RELRO + BIND_NOW enabled.
PIE and RELRO + BIND_NOW are disabled by default for ports that have either kmod or fortran USES flags. Kernel modules cannot be compiled with PIE, RELRO, and BIND_NOW. More research is needed for the fortran ports.
If PIE is disabled by default for a port, but the port maintainer wants to force PIE to be enabled by default, the port maintainer can set EXPLICIT_PIE. The same logic applies for RELRO + BIND_NOW, but with EXPLICIT_RELRO.
A follow-up commit has been made to explicitly disable PIE or RELRO + BIND_NOW for a number of ports. Out of roughly 26,000 ports, only around 400 failed to compile due to PIE or RELRO + BIND_NOW.
Given that there's over 26,100 ports in the tree, HardenedBSD will need to rely on its ever-growing community for runtime testing. Simply compiling an application does not mean that the application will run successfully. As an example, xorg will compile fine with RELRO + BIND_NOW, but due to how it integrates with modules during runtime, it will break. xorg still runs fine with PIE, however.
If you experience issues with a port or package, please file a bug report here.





