Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd,

resolvd, slaacd, unwind.
The mitigation story is way better: syscalls are in a randomly located
libc, and every syscall stub is randomly located inside that due to
random relinking.  As opposed to fixed offset inside a release binary.
There is one known consequence: /usr nfs mounting must use statically
configured IP addresses.
ok kettenis florian, others

7 files changed, 28 insertions, 7 deletions

diff --git a/sbin/dhcpleased/Makefile b/sbin/dhcpleased/Makefile
index 78069924947..ee60feeb440 100644
--- a/sbin/dhcpleased/Makefile
+++ b/sbin/dhcpleased/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.2 2021/07/26 09:26:36 florian Exp $
+#	$OpenBSD: Makefile,v 1.3 2022/08/29 17:00:29 deraadt Exp $
 
 PROG=	dhcpleased
 SRCS=	bpf.c checksum.c control.c dhcpleased.c engine.c frontend.c log.c
@@ -18,3 +18,6 @@ LDADD+=	-levent -lutil
 DPADD+= ${LIBEVENT} ${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile dhcpleased as static binary by default
+LDSTATIC=       
diff --git a/sbin/mountd/Makefile b/sbin/mountd/Makefile
index ced4a7861f3..784ded17aa8 100644
--- a/sbin/mountd/Makefile
+++ b/sbin/mountd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.4 2015/12/23 21:16:17 tim Exp $
+#	$OpenBSD: Makefile,v 1.5 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=	mountd
 MAN=	exports.5 mountd.8
@@ -7,3 +7,6 @@ LDADD=	-lutil
 DPADD=	${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile mountd as static binary by default
+LDSTATIC=       
diff --git a/sbin/nfsd/Makefile b/sbin/nfsd/Makefile
index 5d5d13096db..938b0025445 100644
--- a/sbin/nfsd/Makefile
+++ b/sbin/nfsd/Makefile
@@ -1,6 +1,9 @@
-#	$OpenBSD: Makefile,v 1.8 2015/10/02 00:47:48 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.9 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=	nfsd
 MAN=	nfsd.8
 
 .include <bsd.prog.mk>
+
+# Don't compile nfsd as static binary by default
+LDSTATIC=       
diff --git a/sbin/pflogd/Makefile b/sbin/pflogd/Makefile
index 826ed0a22af..6d79f350ed9 100644
--- a/sbin/pflogd/Makefile
+++ b/sbin/pflogd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.9 2013/06/19 03:51:30 lteo Exp $
+#	$OpenBSD: Makefile,v 1.10 2022/08/29 17:00:30 deraadt Exp $
 
 CFLAGS+=-Wall -Wmissing-prototypes -Wshadow
 
@@ -13,3 +13,6 @@ SRCS=	pflogd.c privsep.c privsep_fdpass.c
 MAN=	pflogd.8
 
 .include <bsd.prog.mk>
+
+# Don't compile pflogd as static binary by default
+LDSTATIC=       
diff --git a/sbin/resolvd/Makefile b/sbin/resolvd/Makefile
index 96281056e63..5ec376f123a 100644
--- a/sbin/resolvd/Makefile
+++ b/sbin/resolvd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.1 2021/02/24 18:10:41 florian Exp $
+#	$OpenBSD: Makefile,v 1.2 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=	resolvd
 SRCS=	resolvd.c
@@ -14,3 +14,6 @@ CFLAGS+= -Wshadow -Wpointer-arith -Wcast-qual
 CFLAGS+= -Wsign-compare
 
 .include <bsd.prog.mk>
+
+# Don't compile resolvd as static binary by default
+LDSTATIC=       
diff --git a/sbin/slaacd/Makefile b/sbin/slaacd/Makefile
index 84fa0be5b2c..f158a98afba 100644
--- a/sbin/slaacd/Makefile
+++ b/sbin/slaacd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.2 2019/11/07 08:45:31 florian Exp $
+#	$OpenBSD: Makefile,v 1.3 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=	slaacd
 SRCS=	control.c engine.c frontend.c log.c slaacd.c
@@ -17,3 +17,6 @@ LDADD+=	-levent -lutil
 DPADD+= ${LIBEVENT} ${LIBUTIL}
 
 .include <bsd.prog.mk>
+
+# Don't compile slaacd as static binary by default
+LDSTATIC=       
diff --git a/sbin/unwind/Makefile b/sbin/unwind/Makefile
index dab729395d7..83fc3814c6f 100644
--- a/sbin/unwind/Makefile
+++ b/sbin/unwind/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.8 2021/01/24 18:29:15 florian Exp $
+#	$OpenBSD: Makefile,v 1.9 2022/08/29 17:00:30 deraadt Exp $
 
 PROG=	unwind
 SRCS=	control.c resolver.c frontend.c log.c unwind.c parse.y printconf.c
@@ -19,3 +19,6 @@ LDADD+=	-levent -lutil -lssl -lcrypto
 DPADD+= ${LIBEVENT} ${LIBUTIL} ${LIBSSL} ${LIBCRYPTO}
 
 .include <bsd.prog.mk>
+
+# Don't compile unwind as static binary by default
+LDSTATIC=