diff -urNp src.0/Makefile.inc1 src/Makefile.inc1
--- src.0/Makefile.inc1	2007-10-31 09:26:42.000000000 +0000
+++ src/Makefile.inc1	2007-12-11 12:20:31.000000000 +0000
@@ -213,6 +213,7 @@ BMAKE=		MAKEOBJDIRPREFIX=${WORLDTMP} \
 		${BMAKEENV} ${MAKE} -f Makefile.inc1 \
 		DESTDIR= \
 		BOOTSTRAPPING=${OSRELDATE} \
+		SSP_CFLAGS= \
 		-DWITHOUT_HTML -DWITHOUT_INFO -DNO_LINT -DWITHOUT_MAN \
 		-DWITHOUT_NLS -DNO_PIC -DWITHOUT_PROFILE -DNO_SHARED \
 		-DNO_CPU_CFLAGS -DNO_WARNS
@@ -222,6 +223,7 @@ TMAKE=		MAKEOBJDIRPREFIX=${OBJTREE} \
 		${BMAKEENV} ${MAKE} -f Makefile.inc1 \
 		TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH} \
 		DESTDIR= \
+		SSP_CFLAGS= \
 		BOOTSTRAPPING=${OSRELDATE} -DNO_LINT -DNO_CPU_CFLAGS -DNO_WARNS
 
 # cross-tools stage
@@ -433,7 +435,7 @@ build32:
 .if ${MK_KERBEROS} != "no"
 .for _t in obj depend all
 	cd ${.CURDIR}/kerberos5/tools; \
-	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= ${_t}
+	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} SSP_CFLAGS= DESTDIR= ${_t}
 .endfor
 .endif
 .for _t in obj includes
@@ -455,7 +457,7 @@ build32:
 .endfor
 .for _dir in lib/ncurses/ncurses lib/ncurses/ncursesw lib/libmagic
 	cd ${.CURDIR}/${_dir}; \
-	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} DESTDIR= build-tools
+	    MAKEOBJDIRPREFIX=${OBJTREE}/lib32 ${MAKE} SSP_CFLAGS= DESTDIR= build-tools
 .endfor
 	cd ${.CURDIR}; \
 	    ${LIB32WMAKE} -f Makefile.inc1 libraries
@@ -728,13 +730,13 @@ buildkernel:
 	@echo "--------------------------------------------------------------"
 	cd ${KRNLOBJDIR}/${_kernel}; \
 	    MAKESRCPATH=${KERNSRCDIR}/dev/aic7xxx/aicasm \
-	    ${MAKE} -DNO_CPU_CFLAGS -f ${KERNSRCDIR}/dev/aic7xxx/aicasm/Makefile
+	    ${MAKE} SSP_CFLAGS= -DNO_CPU_CFLAGS -f ${KERNSRCDIR}/dev/aic7xxx/aicasm/Makefile
 # XXX - Gratuitously builds aicasm in the ``makeoptions NO_MODULES'' case.
 .if !defined(MODULES_WITH_WORLD) && !defined(NO_MODULES) && exists(${KERNSRCDIR}/modules)
 .for target in obj depend all
 	cd ${KERNSRCDIR}/modules/aic7xxx/aicasm; \
 	    MAKEOBJDIRPREFIX=${KRNLOBJDIR}/${_kernel}/modules \
-	    ${MAKE} -DNO_CPU_CFLAGS ${target}
+	    ${MAKE} SSP_CFLAGS= -DNO_CPU_CFLAGS ${target}
 .endfor
 .endif
 .if !defined(NO_KERNELDEPEND)
Files src.0/lib/libc/sys/.stack_protector.c.swp and src/lib/libc/sys/.stack_protector.c.swp differ
diff -urNp src.0/lib/libstand/Makefile src/lib/libstand/Makefile
--- src.0/lib/libstand/Makefile	2007-10-24 21:32:57.000000000 +0000
+++ src/lib/libstand/Makefile	2007-12-11 12:22:04.000000000 +0000
@@ -12,6 +12,7 @@ NO_PIC=
 INCS=		stand.h
 MAN=		libstand.3
 
+SSP_CFLAGS=
 CFLAGS+= -ffreestanding -Wformat
 CFLAGS+= -I${.CURDIR}
 
diff -urNp src.0/share/mk/bsd.README src/share/mk/bsd.README
--- src.0/share/mk/bsd.README	2006-06-18 11:26:17.000000000 +0000
+++ src/share/mk/bsd.README	2007-12-11 12:17:35.000000000 +0000
@@ -37,6 +37,7 @@ bsd.port.pre.mk		- building ports
 bsd.port.subdir.mk	- targets for building subdirectories for ports
 bsd.prog.mk		- building programs from source files
 bsd.snmpmod.mk		- building modules for the SNMP daemon bsnmpd
+bsd.ssp.mk		- handle ProPolice (SSP) settings
 bsd.subdir.mk		- targets for building subdirectories
 bsd.sys.mk		- common settings used for building FreeBSD sources
 sys.mk			- default rules for all makes
diff -urNp src.0/share/mk/bsd.own.mk src/share/mk/bsd.own.mk
--- src.0/share/mk/bsd.own.mk	2007-10-20 19:01:49.000000000 +0000
+++ src/share/mk/bsd.own.mk	2007-12-11 14:37:38.000000000 +0000
@@ -111,6 +111,7 @@ SRCCONF?=	/etc/src.conf
 .endif
 .endif
 
+.if !defined(_ONLY_SRCCONF)
 # Binaries
 BINOWN?=	root
 BINGRP?=	wheel
@@ -173,6 +174,7 @@ STRIP?=		-s
 
 COMPRESS_CMD?=	gzip -cn
 COMPRESS_EXT?=	.gz
+.endif # !_ONLY_SRCCONF
 
 .if !defined(_WITHOUT_SRCCONF)
 #
diff -urNp src.0/share/mk/bsd.port.mk src/share/mk/bsd.port.mk
--- src.0/share/mk/bsd.port.mk	2006-11-19 16:28:52.000000000 +0000
+++ src/share/mk/bsd.port.mk	2007-12-11 12:16:29.000000000 +0000
@@ -9,3 +9,10 @@ _WITHOUT_SRCCONF=
 
 .include <bsd.own.mk>
 .include "${BSDPORTMK}"
+
+# XXX This belongs to ports/Mk/bsd.port.mk where it should be documented as
+# well, but it is easier to distribute as long as it is a patch.
+.if defined(USE_SSP)
+SSP_CFLAGS	?=	-fstack-protector
+CFLAGS		+=	${SSP_CFLAGS}
+.endif
diff -urNp src.0/share/mk/bsd.ssp.mk src/share/mk/bsd.ssp.mk
--- src.0/share/mk/bsd.ssp.mk	1970-01-01 00:00:00.000000000 +0000
+++ src/share/mk/bsd.ssp.mk	2007-12-11 14:47:22.000000000 +0000
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+# Handle stack protection flags.
+.if ${MK_SSP} != "no" && ${CC} != 'icc'
+SSP_CFLAGS	?=	-fstack-protector
+CFLAGS		+=	${SSP_CFLAGS}
+. if defined(SSP_WARNS) && !empty(SSP_FLAGS)
+CWARNFLAGS	+=	-Wstack-protector
+. endif
+.endif
diff -urNp src.0/share/mk/bsd.sys.mk src/share/mk/bsd.sys.mk
--- src.0/share/mk/bsd.sys.mk	2007-11-22 23:21:12.000000000 +0000
+++ src/share/mk/bsd.sys.mk	2007-12-11 12:15:35.000000000 +0000
@@ -76,3 +76,5 @@ CWARNFLAGS	+=	-Wno-unknown-pragmas
 
 # Allow user-specified additional warning flags
 CFLAGS		+=	${CWARNFLAGS}
+
+.include <bsd.ssp.mk>
diff -urNp src.0/sys/boot/efi/Makefile.inc src/sys/boot/efi/Makefile.inc
--- src.0/sys/boot/efi/Makefile.inc	2004-02-12 08:10:33.000000000 +0000
+++ src/sys/boot/efi/Makefile.inc	2007-12-11 12:23:20.000000000 +0000
@@ -5,3 +5,6 @@ BINDIR?=	/boot
 # Options used when building app-specific efi components
 CFLAGS+=	-ffreestanding -fshort-wchar -Wformat
 LDFLAGS+=	-nostdlib
+
+# No SSP in /boot.
+SSP_CFLAGS=
diff -urNp src.0/sys/boot/ficl/Makefile src/sys/boot/ficl/Makefile
--- src.0/sys/boot/ficl/Makefile	2007-10-15 14:20:24.000000000 +0000
+++ src/sys/boot/ficl/Makefile	2007-12-11 12:24:13.000000000 +0000
@@ -7,6 +7,8 @@ BASE_SRCS=	dict.c ficl.c fileaccess.c fl
 SRCS=		${BASE_SRCS} sysdep.c softcore.c
 CLEANFILES=	softcore.c testmain testmain.o
 CFLAGS+=	-ffreestanding
+# No SSP in /boot.
+SSP_CFLAGS=
 .if ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "amd64"
 CFLAGS+=	-mpreferred-stack-boundary=2
 CFLAGS+=	-mno-mmx -mno-3dnow -mno-sse -mno-sse2
diff -urNp src.0/sys/boot/i386/Makefile.inc src/sys/boot/i386/Makefile.inc
--- src.0/sys/boot/i386/Makefile.inc	2006-09-28 10:02:04.000000000 +0000
+++ src/sys/boot/i386/Makefile.inc	2007-12-11 12:24:40.000000000 +0000
@@ -15,6 +15,9 @@ LDFLAGS+=	-m elf_i386_fbsd
 AFLAGS+=	--32
 .endif
 
+# No SSP in /boot.
+SSP_CFLAGS=
+
 # BTX components
 .if exists(${.OBJDIR}/../btx)
 BTXDIR=		${.OBJDIR}/../btx
diff -urNp src.0/sys/boot/ofw/libofw/Makefile src/sys/boot/ofw/libofw/Makefile
--- src.0/sys/boot/ofw/libofw/Makefile	2007-06-17 00:17:15.000000000 +0000
+++ src/sys/boot/ofw/libofw/Makefile	2007-12-11 12:25:16.000000000 +0000
@@ -17,6 +17,9 @@ CFLAGS+=	-ffreestanding
 CFLAGS+=	-msoft-float
 .endif
 
+# No SSP in /boot.
+SSP_CFLAGS=
+
 .ifdef(BOOT_DISK_DEBUG)
 # Make the disk code more talkative
 CFLAGS+= -DDISK_DEBUG
diff -urNp src.0/sys/boot/sparc64/Makefile.inc src/sys/boot/sparc64/Makefile.inc
--- src.0/sys/boot/sparc64/Makefile.inc	2004-02-09 14:17:02.000000000 +0000
+++ src/sys/boot/sparc64/Makefile.inc	2007-12-11 12:25:34.000000000 +0000
@@ -3,3 +3,6 @@
 BINDIR?=	/boot
 CFLAGS+=	-ffreestanding
 LDFLAGS+=	-nostdlib
+
+# No SSP in /boot.
+SSP_CFLAGS=
diff -urNp src.0/sys/conf/files src/sys/conf/files
--- src.0/sys/conf/files	2007-11-21 21:42:55.000000000 +0000
+++ src/sys/conf/files	2007-12-11 15:08:38.000000000 +0000
@@ -1474,6 +1474,7 @@ kern/posix4_mib.c		standard
 kern/sched_4bsd.c		optional sched_4bsd
 kern/sched_ule.c		optional sched_ule
 kern/serdev_if.m		standard
+kern/stack_protector.c		standard
 kern/subr_acl_posix1e.c		standard
 kern/subr_autoconf.c		standard
 kern/subr_blist.c		standard
diff -urNp src.0/sys/conf/kern.mk src/sys/conf/kern.mk
--- src.0/sys/conf/kern.mk	2007-05-24 21:53:42.000000000 +0000
+++ src/sys/conf/kern.mk	2007-12-11 14:49:31.000000000 +0000
@@ -97,3 +97,11 @@ CFLAGS+=	-ffreestanding
 .if ${CC} == "icc"
 CFLAGS+=	-restrict
 .endif
+
+#
+# GCC SSP support.
+#
+.if ${MK_SSP} != 'no' && ${CC} != 'icc'
+SSP_CFLAGS?=	-fstack-protector
+CFLAGS+=	${SSP_CFLAGS}
+.endif
diff -urNp src.0/sys/conf/kern.pre.mk src/sys/conf/kern.pre.mk
--- src.0/sys/conf/kern.pre.mk	2007-08-08 19:12:06.000000000 +0000
+++ src/sys/conf/kern.pre.mk	2007-12-11 14:39:59.000000000 +0000
@@ -3,10 +3,8 @@
 # Part of a unified Makefile for building kernels.  This part contains all
 # of the definitions that need to be before %BEFORE_DEPEND.
 
-SRCCONF?=	/etc/src.conf
-.if exists(${SRCCONF})
-.include "${SRCCONF}"
-.endif
+_ONLY_SRCCONF=
+.include <bsd.own.mk>
 
 # Can be overridden by makeoptions or /etc/make.conf
 KERNEL_KO?=	kernel
diff -urNp src.0/sys/kern/stack_protector.c src/sys/kern/stack_protector.c
--- src.0/sys/kern/stack_protector.c	1970-01-01 00:00:00.000000000 +0000
+++ src/sys/kern/stack_protector.c	2007-12-11 15:51:39.000000000 +0000
@@ -0,0 +1,13 @@
+void panic(const char *, ...);
+void __stack_chk_fail(void);
+
+long __stack_chk_guard[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+void
+__stack_chk_fail(void)
+{
+	static char *msg = "stack overflow caught by SSP; backtrace may be "
+	    "corrupted.";
+
+	panic(msg);
+}