[Git][hardenedbsd/HardenedBSD][hardened/current/cross-dso-cfi] 13 commits: kernel: MK_REPRODUCIBLE_PATHS for full paths vs /usr/src

[HardenedBSD Services (@hardenedbsd-services)]

HardenedBSD Services pushed to branch hardened/current/cross-dso-cfi at HardenedBSD / HardenedBSD


Commits:
faeaa25f by Warner Losh at 2025-12-28T01:16:39-07:00
kernel: MK_REPRODUCIBLE_PATHS for full paths vs /usr/src

There are many environments that you do not want the paths to be
canonicalized. For example, if I always build a product from a specific
path in a jail that's dependent on the product version, I don't want
that to be sanitized to /usr/src because when I have profiling tools run
against multiple kernels, I can't do A/B testing and results processing
if everything points to /usr/src (sadly, the profiling tools cannot
remap back to the original like gdb can). Since we need both active at
the same time, symbloic link fallbacks don't work.

We do want the rest of the build to be reproducible, however. We'll get
the same binaries if we rebuild later since we always rebuild with the
same path.

Turn them both on for maximum reproduction for environments where that
cannot be guaranteed.

Sponsored by: Netflix
Input from: emaste, ivy
Differential Revision: https://reviews.freebsd.org/D52959

- - - - -
c910c7a3 by Ed Maste at 2025-12-28T10:53:45-05:00
vt: Remove .fnt.uu from Makefile SUFFIXES

The uudecode make rule was removed years ago.

Fixes: 68510f3bac15 ("Remove uudecode make rule for vt fonts")

- - - - -
176075e6 by Zhenlei Huang at 2025-12-28T23:57:51+08:00
locking.9: Tweak the table column width to fit 80 characters

While here, add some white spaces to improve the readability of source
code.

Reviewed by: ziaee, #manpages
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54121

- - - - -
a7b8a5d3 by Eugene Grosbein at 2025-12-29T00:05:22+07:00
ipfw.8: fix documentation bug for setmark

A mark set with "setmark" keyword is intended to be "sticky"
and documented as such but in fact it is not yet,
as current implementation lacks "sticky" feature
and its implementation will be not MFC'd, most probably.

Correct the manual page until the implementation improved.

MFC after: 3 days
Discussed with: Boris Lytochkin <lytb...@gmail.com> (author)

- - - - -
9fdf49e8 by Eugene Grosbein at 2025-12-29T00:19:35+07:00
ipfw.8: fix misprint after previous change

rulese -> ruleset

MFC after: 3 days
X-MFC-with: a7b8a5d37bcb0009297962137bfb6c6570e5af12

- - - - -
b67a7c06 by Warner Losh at 2025-12-28T10:32:05-07:00
scsi: Make all da error messages greppable

Don't split the error messages across lines. We used to do that ages
ago, but have relaxed style(9) to encourage the opposite so all error
messages can be grepped. This constantly slows me down when I'm helping
others find issues, so start here by splitting according to normal
style(9) rules with a relaxed line length of 90.

Sponsored by: Netflix

- - - - -
e5104711 by Eugene Grosbein at 2025-12-29T00:47:39+07:00
ipfw.8: document how to delete nat configuration instance

MFC after: 3 days

- - - - -
3cd0bcc5 by Shawn Webb at 2025-12-28T10:59:44-07:00
HBSD: Some pkgbase related changes

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -
2d1e8797 by Shawn Webb at 2025-12-28T11:00:04-07:00
Merge remote-tracking branch 'internal/freebsd/current/main' into hardened/current/master

Conflicts:
share/man/man5/src.conf.5 (unresolved)
share/mk/src.opts.mk (unresolved)

- - - - -
e561e15d by Shawn Webb at 2025-12-28T11:00:32-07:00
HBSD: Resolve merge conflict for share/mk/src.opts.mk

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -
fb18070c by Shawn Webb at 2025-12-28T11:11:38-07:00
HBSD: Regen src.conf.5.

Signed-off-by: Shawn Webb <shawn...@hardenedbsd.org>

- - - - -
307d36df by HardenedBSD Sync Services at 2025-12-28T12:01:33-07:00
Merge branch 'freebsd/current/main' into hardened/current/master

- - - - -
0a7a5491 by HardenedBSD Sync Services at 2025-12-28T12:01:45-07:00
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

- - - - -


14 changed files:

- release/Makefile
- sbin/ipfw/ipfw.8
- share/man/man5/src.conf.5
- share/man/man9/locking.9
- share/mk/bsd.debug.mk
- share/mk/src.opts.mk
- share/vt/fonts/Makefile
- sys/cam/scsi/scsi_da.c
- sys/conf/kern.opts.mk
- sys/conf/kern.post.mk
- sys/conf/kmod.mk
- + tools/build/options/WITH_REPRODUCIBLE_PATHS
- usr.sbin/bsdinstall/Makefile
- usr.sbin/bsdinstall/scripts/pkgbase.in


Changes:

=====================================
release/Makefile
=====================================
@@ -266,7 +266,6 @@ disc1:
echo "./usr/freebsd-dist/$${dist} type=file uname=root gname=wheel mode=0644" >> ${.TARGET}/METALOG; \
done
.endif
-.endif
.if ${.MAKE.OS} == "FreeBSD" && (!defined(NOPKG) || empty(NOPKG))
# Install packages onto release media.
.if !defined(NOPKGBASE) || empty(NOPKGBASE)


=====================================
sbin/ipfw/ipfw.8
=====================================
@@ -1,5 +1,5 @@
.\"
-.Dd December 10, 2025
+.Dd December 29, 2025
.Dt IPFW 8
.Os
.Sh NAME
@@ -104,6 +104,11 @@ in-kernel NAT.\&
.Cm config
.Ar config-options
.Nm
+.Op Fl q
+.Cm nat
+.Ar number
+.Cm delete
+.Nm
.Cm nat
.Ar number
.Cm show
@@ -839,8 +844,12 @@ When a packet matches a rule with the
.Cm setmark
keyword, a 32-bit numeric mark is assigned to the packet.
The mark is an extension to the tags.
-As tags, mark is "sticky" so the value is kept the same within the kernel and
-is lost when the packet leaves the kernel.
+The mark is preserved for a packet within a single ipfw ruleset traversal
+and is lost when the packet is checked against the active ruleset
+next time (see
+.Sx PACKET FLOW
+section) or leaves ipfw context (e.g. accepted,
+diverted, bridged or routed).
Unlike tags, mark can be matched as a lookup table key or compared with bitwise
mask applied against another value.
Each packet can have only one mark, so
@@ -3507,6 +3516,15 @@ For more information about aliasing modes, refer to
See Section
.Sx EXAMPLES
for some examples of nat usage.
+.Pp
+To delete specific nat configuration instance, use the following command:
+.Bd -ragged -offset indent
+.Bk -words
+.Cm nat
+.Ar nat_number
+.Cm delete
+.Ek
+.Ed
.Ss REDIRECT AND LSNAT SUPPORT IN IPFW
Redirect and LSNAT support follow closely the syntax used in
.Xr natd 8 .


=====================================
share/man/man5/src.conf.5
=====================================
@@ -1,5 +1,5 @@
.\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd December 15, 2025
+.Dd December 28, 2025
.Dt SRC.CONF 5
.Os
.Sh NAME
@@ -1571,6 +1571,13 @@ option.
Exclude build metadata (such as the build time, user, or host)
from the kernel, boot loaders, and uname output, so that builds produce
bit-for-bit identical output.
+.It Va WITH_REPRODUCIBLE_PATHS
+Modify the paths encoded in binary artifacts to be standard path
+
+Normaly, the actual path is encoded in the binary. However, this makes the build
+differ depending on the path it was built from. With this option enabled, the
+paths recorded are /usr/src, regardless of the actual path. With this option
+disabled, the actual paths are recorded.
.It Va WITHOUT_RESCUE
Do not build
.Xr rescue 8 .


=====================================
share/man/man9/locking.9
=====================================
@@ -22,7 +22,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd February 3, 2023
+.Dd December 28, 2025
.Dt LOCKING 9
.Os
.Sh NAME
@@ -371,9 +371,9 @@ functions,
and any of the
.Fn sleep
functions.
-.Bl -column ".Ic xxxxxxxxxxxxxxxx" ".Xr XXXXXXXXX" ".Xr XXXXXXXXX" ".Xr XXXXXXX" ".Xr XXXXXXXXX" ".Xr XXXXXX" -offset 3n
+.Bl -column " You want:" "spin mtx " "mutex/rw " "rmlock " "sleep rm " "sx/lk " -offset 3n
.It Em " You want:" Ta spin mtx Ta mutex/rw Ta rmlock Ta sleep rm Ta sx/lk Ta sleep
-.It Em "You have: " Ta -------- Ta -------- Ta ------ Ta -------- Ta ------ Ta ------
+.It Em "You have:" Ta -------- Ta -------- Ta ------ Ta -------- Ta ----- Ta ------
.It spin mtx Ta \&ok Ta \&no Ta \&no Ta \&no Ta \&no Ta \&no-1
.It mutex/rw Ta \&ok Ta \&ok Ta \&ok Ta \&no Ta \&no Ta \&no-1
.It rmlock Ta \&ok Ta \&ok Ta \&ok Ta \&no Ta \&no Ta \&no-1
@@ -407,13 +407,13 @@ Note that non-blocking try operations on locks are always permitted.
.Ss Context mode table
The next table shows what can be used in different contexts.
At this time this is a rather easy to remember table.
-.Bl -column ".Ic Xxxxxxxxxxxxxxxxxxx" ".Xr XXXXXXXXX" ".Xr XXXXXXXXX" ".Xr XXXXXXX" ".Xr XXXXXXXXX" ".Xr XXXXXX" -offset 3n
+.Bl -column "interrupt filter: " "spin mtx " "mutex/rw " "rmlock " "sleep rm " "sx/lk " -offset 3n
.It Em "Context:" Ta spin mtx Ta mutex/rw Ta rmlock Ta sleep rm Ta sx/lk Ta sleep
.It interrupt filter: Ta \&ok Ta \&no Ta \&no Ta \&no Ta \&no Ta \&no
.It interrupt thread: Ta \&ok Ta \&ok Ta \&ok Ta \&no Ta \&no Ta \&no
-.It callout: Ta \&ok Ta \&ok Ta \&ok Ta \&no Ta \&no Ta \&no
-.It direct callout: Ta \&ok Ta \&no Ta \&no Ta \&no Ta \&no Ta \&no
-.It system call: Ta \&ok Ta \&ok Ta \&ok Ta \&ok Ta \&ok Ta \&ok
+.It callout: Ta \&ok Ta \&ok Ta \&ok Ta \&no Ta \&no Ta \&no
+.It direct callout: Ta \&ok Ta \&no Ta \&no Ta \&no Ta \&no Ta \&no
+.It system call: Ta \&ok Ta \&ok Ta \&ok Ta \&ok Ta \&ok Ta \&ok
.El
.Sh SEE ALSO
.Xr lockstat 1 ,


=====================================
share/mk/bsd.debug.mk
=====================================
@@ -16,7 +16,7 @@ MK_WERROR= no
# If reproducible build mode is enabled, map the root of the source
# directory to /usr/src and the root of the object directory to
# /usr/obj.
-.if ${MK_REPRODUCIBLE_BUILD} != "no" && !defined(DEBUG_PREFIX)
+.if ${MK_REPRODUCIBLE_PATHS} != "no" && !defined(DEBUG_PREFIX)
.if defined(SRCTOP)
DEBUG_PREFIX+= ${SRCTOP:S,/$,,}=/usr/src
.endif


=====================================
share/mk/src.opts.mk
=====================================
@@ -225,6 +225,7 @@ __DEFAULT_NO_OPTIONS = \
OFED_EXTRA \
OPENLDAP \
PORTSNAP \
+ REPRODUCIBLE_PATHS \
RPCBIND_WARMSTART_SUPPORT \
SORT_THREADS \
SPECTREV1_FIX \


=====================================
share/vt/fonts/Makefile
=====================================
@@ -21,7 +21,7 @@ FILES= ${FONTS} INDEX.fonts

CLEANFILES+= ${FONTS}

-.SUFFIXES: .bdf .fnt .fnt.uu .hex
+.SUFFIXES: .bdf .fnt .hex
.bdf.fnt .hex.fnt:
vtfontcvt -o ${.TARGET} ${.IMPSRC}



=====================================
sys/cam/scsi/scsi_da.c
=====================================
@@ -2059,8 +2059,9 @@ dainit(void)
status = xpt_register_async(AC_FOUND_DEVICE, daasync, NULL, NULL);

if (status != CAM_REQ_CMP) {
- printf("da: Failed to attach master async callback "
- "due to status 0x%x!\n", status);
+ printf(
+ "da: Failed to attach master async callback due to status 0x%x!\n",
+ status);
} else if (da_send_ordered) {
/* Register our shutdown event handler */
if ((EVENTHANDLER_REGISTER(shutdown_post_sync, dashutdown,
@@ -2186,10 +2187,10 @@ daasync(void *callback_arg, uint32_t code,
path, daasync,
AC_FOUND_DEVICE, cgd);

- if (status != CAM_REQ_CMP
- && status != CAM_REQ_INPROG)
- printf("daasync: Unable to attach to new device "
- "due to status 0x%x\n", status);
+ if (status != CAM_REQ_CMP && status != CAM_REQ_INPROG)
+ printf(
+ "daasync: Unable to attach to new device due to status 0x%x\n",
+ status);
return;
}
case AC_ADVINFO_CHANGED: /* Doesn't touch periph */
@@ -2372,8 +2373,7 @@ dasysctlinit(void *context, int pending)
SYSCTL_CHILDREN(softc->sysctl_tree), OID_AUTO,
"optimal_nonseq_zones", CTLFLAG_RD,
&softc->optimal_nonseq_zones,
- "Optimal Number of Non-Sequentially Written Sequential Write "
- "Preferred Zones");
+ "Optimal Number of Non-Sequentially Written Sequential Write Preferred Zones");
SYSCTL_ADD_UQUAD(&softc->sysctl_ctx,
SYSCTL_CHILDREN(softc->sysctl_tree), OID_AUTO,
"max_seq_zones", CTLFLAG_RD, &softc->max_seq_zones,
@@ -2859,8 +2859,8 @@ daregister(struct cam_periph *periph, void *arg)
M_NOWAIT|M_ZERO);

if (softc == NULL) {
- printf("daregister: Unable to probe new device. "
- "Unable to allocate softc\n");
+ printf(
+ "daregister: Unable to probe new device. Unable to allocate softc\n");
return(CAM_REQ_CMP_ERR);
}

@@ -3035,8 +3035,8 @@ daregister(struct cam_periph *periph, void *arg)

if (cam_iosched_init(&softc->cam_iosched, periph, softc->disk,
daschedule) != 0) {
- printf("daregister: Unable to probe new device. "
- "Unable to allocate iosched memory\n");
+ printf(
+ "daregister: Unable to probe new device. Unable to allocate iosched memory\n");
free(softc, M_DEVBUF);
return(CAM_REQ_CMP_ERR);
}
@@ -3115,8 +3115,9 @@ da_zone_cmd(struct cam_periph *periph, union ccb *ccb, struct bio *bp,

zone_sa = da_zone_bio_to_scsi(bp->bio_zone.zone_cmd);
if (zone_sa == -1) {
- xpt_print(periph->path, "Cannot translate zone "
- "cmd %#x to SCSI\n", bp->bio_zone.zone_cmd);
+ xpt_print(periph->path,
+ "Cannot translate zone cmd %#x to SCSI\n",
+ bp->bio_zone.zone_cmd);
error = EINVAL;
goto bailout;
}
@@ -3180,8 +3181,7 @@ da_zone_cmd(struct cam_periph *periph, union ccb *ccb, struct bio *bp,
if (error != 0) {
error = EINVAL;
xpt_print(periph->path,
- "scsi_ata_zac_mgmt_out() returned an "
- "error!");
+ "scsi_ata_zac_mgmt_out() returned an error!");
goto bailout;
}
}
@@ -3198,8 +3198,8 @@ da_zone_cmd(struct cam_periph *periph, union ccb *ccb, struct bio *bp,

num_entries = rep->entries_allocated;
if (num_entries == 0) {
- xpt_print(periph->path, "No entries allocated for "
- "Report Zones request\n");
+ xpt_print(periph->path,
+ "No entries allocated for Report Zones request\n");
error = EINVAL;
goto bailout;
}
@@ -3208,8 +3208,8 @@ da_zone_cmd(struct cam_periph *periph, union ccb *ccb, struct bio *bp,
alloc_size = min(alloc_size, softc->disk->d_maxsize);
rz_ptr = malloc(alloc_size, M_SCSIDA, M_NOWAIT | M_ZERO);
if (rz_ptr == NULL) {
- xpt_print(periph->path, "Unable to allocate memory "
- "for Report Zones request\n");
+ xpt_print(periph->path,
+ "Unable to allocate memory for Report Zones request\n");
error = ENOMEM;
goto bailout;
}
@@ -3266,8 +3266,7 @@ da_zone_cmd(struct cam_periph *periph, union ccb *ccb, struct bio *bp,
if (error != 0) {
error = EINVAL;
xpt_print(periph->path,
- "scsi_ata_zac_mgmt_in() returned an "
- "error!");
+ "scsi_ata_zac_mgmt_in() returned an error!");
goto bailout;
}
}
@@ -3599,8 +3598,8 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)
mode_buf_len = 192;
mode_buf = malloc(mode_buf_len, M_SCSIDA, M_NOWAIT);
if (mode_buf == NULL) {
- xpt_print(periph->path, "Unable to send mode sense - "
- "malloc failure\n");
+ xpt_print(periph->path,
+ "Unable to send mode sense - malloc failure\n");
if ((softc->flags & DA_FLAG_CAN_RC16) != 0)
softc->state = DA_STATE_PROBE_RC16;
else
@@ -3882,8 +3881,7 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)

log_dir = malloc(sizeof(*log_dir), M_SCSIDA, M_NOWAIT|M_ZERO);
if (log_dir == NULL) {
- xpt_print(periph->path, "Couldn't malloc log_dir "
- "data\n");
+ xpt_print(periph->path, "Couldn't malloc log_dir data\n");
daprobedone(periph, start_ccb);
break;
}
@@ -3932,8 +3930,7 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)

id_dir = malloc(sizeof(*id_dir), M_SCSIDA, M_NOWAIT | M_ZERO);
if (id_dir == NULL) {
- xpt_print(periph->path, "Couldn't malloc id_dir "
- "data\n");
+ xpt_print(periph->path, "Couldn't malloc id_dir data\n");
daprobedone(periph, start_ccb);
break;
}
@@ -3981,8 +3978,7 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)

sup_cap = malloc(sizeof(*sup_cap), M_SCSIDA, M_NOWAIT|M_ZERO);
if (sup_cap == NULL) {
- xpt_print(periph->path, "Couldn't malloc sup_cap "
- "data\n");
+ xpt_print(periph->path, "Couldn't malloc sup_cap data\n");
daprobedone(periph, start_ccb);
break;
}
@@ -4032,8 +4028,7 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)
ata_zone = malloc(sizeof(*ata_zone), M_SCSIDA,
M_NOWAIT|M_ZERO);
if (ata_zone == NULL) {
- xpt_print(periph->path, "Couldn't malloc ata_zone "
- "data\n");
+ xpt_print(periph->path, "Couldn't malloc ata_zone data\n");
daprobedone(periph, start_ccb);
break;
}
@@ -4084,8 +4079,7 @@ dastart(struct cam_periph *periph, union ccb *start_ccb)

if (bdc == NULL) {
xpt_release_ccb(start_ccb);
- xpt_print(periph->path, "Couldn't malloc zone VPD "
- "data\n");
+ xpt_print(periph->path, "Couldn't malloc zone VPD data\n");
break;
}
scsi_inquiry(&start_ccb->csio,
@@ -4201,8 +4195,7 @@ da_delete_unmap(struct cam_periph *periph, union ccb *ccb, struct bio *bp)
if (totalcount + c > softc->unmap_max_lba ||
ranges >= softc->unmap_max_ranges) {
xpt_print(periph->path,
- "%s issuing short delete %ld > %ld"
- "|| %d >= %d",
+ "%s issuing short delete %ld > %ld || %d >= %d",
da_delete_method_desc[softc->delete_method],
totalcount + c, softc->unmap_max_lba,
ranges, softc->unmap_max_ranges);
@@ -4483,8 +4476,8 @@ cmd6workaround(union ccb *ccb)
(*cdb != READ_6 && *cdb != WRITE_6))
return 0;

- xpt_print(ccb->ccb_h.path, "READ(6)/WRITE(6) not supported, "
- "increasing minimum_cmd_size to 10.\n");
+ xpt_print(ccb->ccb_h.path,
+ "READ(6)/WRITE(6) not supported, increasing minimum_cmd_size to 10.\n");
softc->minimum_cmd_size = 10;

bcopy(cdb, &cmd6, sizeof(struct scsi_rw_6));
@@ -5124,8 +5117,7 @@ dadone_proberc(struct cam_periph *periph, union ccb *done_ccb)
&cgd.inq_data, &sense_key_desc,
&asc_desc);
snprintf(announce_buf, DA_ANNOUNCETMP_SZ,
- "Attempt to query device "
- "size failed: %s, %s",
+ "Attempt to query device size failed: %s, %s",
sense_key_desc, asc_desc);
} else {
if (have_sense)
@@ -5135,9 +5127,8 @@ dadone_proberc(struct cam_periph *periph, union ccb *done_ccb)
"got CAM status %#x\n",
done_ccb->ccb_h.status);
}
-
- xpt_print(periph->path, "fatal error, "
- "failed to attach to device\n");
+ xpt_print(periph->path,
+ "fatal error, failed to attach to device\n");

announce_buf = NULL;

@@ -5171,8 +5162,8 @@ dadone_proberc(struct cam_periph *periph, union ccb *done_ccb)
&softc->sysctl_task);
} else {
/* XXX This message is useless! */
- xpt_print(periph->path, "fatal error, "
- "could not acquire reference count\n");
+ xpt_print(periph->path,
+ "fatal error, could not acquire reference count\n");
}
}

@@ -5410,8 +5401,7 @@ dadone_probebdc(struct cam_periph *periph, union ccb *done_ccb)
DA_ZONE_IF_ATA_SAT : DA_ZONE_IF_SCSI;
} else if ((bdc->flags & SVPD_ZBC_MASK) !=
SVPD_ZBC_NR) {
- xpt_print(periph->path, "Unknown zoned "
- "type %#x",
+ xpt_print(periph->path, "Unknown zoned type %#x",
bdc->flags & SVPD_ZBC_MASK);
}
}
@@ -6516,8 +6506,9 @@ dasetgeom(struct cam_periph *periph, uint32_t block_len, uint64_t maxsector,
if ((cdai.ccb_h.status & CAM_DEV_QFRZN) != 0)
cam_release_devq(cdai.ccb_h.path, 0, 0, 0, FALSE);
if (cdai.ccb_h.status != CAM_REQ_CMP) {
- xpt_print(periph->path, "%s: failed to set read "
- "capacity advinfo\n", __func__);
+ xpt_print(periph->path,
+ "%s: failed to set read capacity advinfo\n",
+ __func__);
/* Use cam_error_print() to decode the status */
cam_error_print((union ccb *)&cdai, CAM_ESF_CAM_STATUS,
CAM_EPF_ALL);


=====================================
sys/conf/kern.opts.mk
=====================================
@@ -56,6 +56,7 @@ __DEFAULT_NO_OPTIONS = \
KERNEL_RETPOLINE \
RATELIMIT \
REPRODUCIBLE_BUILD \
+ REPRODUCIBLE_PATHS \
VERIEXEC

# Some options are totally broken on some architectures. We disable them. If you


=====================================
sys/conf/kern.post.mk
=====================================
@@ -364,7 +364,7 @@ _ILINKS+= x86
_ILINKS+= i386
.endif

-.if ${MK_REPRODUCIBLE_BUILD} != "no"
+.if ${MK_REPRODUCIBLE_PATHS} != "no"
PREFIX_SYSDIR=/usr/src/sys
PREFIX_OBJDIR=/usr/obj/usr/src/${MACHINE}.${MACHINE_CPUARCH}/sys/${KERN_IDENT}
CFLAGS+= -ffile-prefix-map=${SYSDIR}=${PREFIX_SYSDIR}


=====================================
sys/conf/kmod.mk
=====================================
@@ -304,7 +304,7 @@ all: ${PROG}
beforedepend: ${_ILINKS}
beforebuild: ${_ILINKS}

-.if ${MK_REPRODUCIBLE_BUILD} != "no"
+.if ${MK_REPRODUCIBLE_PATHS} != "no"
PREFIX_SYSDIR=/usr/src/sys
CFLAGS+= -ffile-prefix-map=${SYSDIR}=${PREFIX_SYSDIR}
.if defined(KERNBUILDDIR)


=====================================
tools/build/options/WITH_REPRODUCIBLE_PATHS
=====================================
@@ -0,0 +1,6 @@
+Modify the paths encoded in binary artifacts to be standard path
+
+Normaly, the actual path is encoded in the binary. However, this makes the build
+differ depending on the path it was built from. With this option enabled, the
+paths recorded are /usr/src, regardless of the actual path. With this option
+disabled, the actual paths are recorded.


=====================================
usr.sbin/bsdinstall/Makefile
=====================================
@@ -27,6 +27,6 @@ SUBURL= latest
.endif

HardenedBSD-base.conf: HardenedBSD-base.conf.in
- sed "s|%%PKGHOST%%|${PKGHOST}|;s|%%SUBURL%%|${SUBURL}|;s|%%KEYSDIR%%|${KEYSDIR}|" < ${.ALLSRC} > ${.TARGET}
+ sed "s|%%SUBURL%%|${SUBURL}|" < ${.ALLSRC} > ${.TARGET}

.include <bsd.prog.mk>


=====================================
usr.sbin/bsdinstall/scripts/pkgbase.in
=====================================
@@ -323,6 +323,9 @@ local function pkgbase()
local repos_dir = os.getenv("BSDINSTALL_PKG_REPOS_DIR")
if not repos_dir then
repos_dir = "/usr/share/bsdinstall/"
+ assert(os.execute("mkdir -p " .. repos_dir))
+ assert(os.execute("cp /usr/share/bsdinstall/HardenedBSD-base.conf " .. repos_dir))
+
-- Since pkg always interprets fingerprints paths as relative to
-- the --rootdir we must copy the key from the host.
assert(os.execute("mkdir -p " .. chroot .. "/usr/share/keys"))
@@ -355,7 +358,7 @@ local function pkgbase()

-- Enable the FreeBSD-base repository for this system.
assert(os.execute("mkdir -p " .. chroot .. "/usr/local/etc/pkg/repos"))
- assert(os.execute("echo 'FreeBSD-base: { enabled: yes }' > " .. chroot .. "/usr/local/etc/pkg/repos/FreeBSD.conf"))
+ assert(os.execute("echo 'HardenedBSD-base: { enabled: yes }' > " .. chroot .. "/usr/local/etc/pkg/repos/FreeBSD.conf"))
end

pkgbase()



View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/c0783505929675a3c542edab81ce1f20a619883d...0a7a54912a16d17859895f02967cba84d83a36d2

--
View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/c0783505929675a3c542edab81ce1f20a619883d...0a7a54912a16d17859895f02967cba84d83a36d2
You're receiving this email because of your account on git.hardenedbsd.org.