diff options
| author | Jeff Layton <jlayton@samba.org> | 2012-07-09 14:12:33 -0400 |
|---|---|---|
| committer | Jeff Layton <jlayton@samba.org> | 2012-07-10 13:17:03 -0400 |
| commit | 233e17db8ef7edba1fea660e076a03a56b0117d2 (patch) | |
| tree | 82e98a584a34735c39d56f46b56e51b08588c3a0 | |
| parent | a8611e25d44211cd57a91dce4fe7d7a7ad7534d4 (diff) | |
| download | cifs-utils-233e17db8ef7edba1fea660e076a03a56b0117d2.tar.gz cifs-utils-233e17db8ef7edba1fea660e076a03a56b0117d2.tar.bz2 cifs-utils-233e17db8ef7edba1fea660e076a03a56b0117d2.zip | |
autoconf: add --enable-pie and --enable-relro
-pie and -fpie enable the building of position-independent executables,
and -Wl,-z,relro turns on read-only relocation support in gcc. These
options are important for security purposes to guard against possible
buffer overflows that lead to exploits.
Follow the example of samba here and enable these by default, but add
configure options that allow people to turn them off at build-time if
necessary.
We may also want to eventually add checks to ensure that the compiler
and linker understand these options, but I'll wait until we have some
evidence that it's needed before I expend the effort.
Reported-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Jeff Layton <jlayton@samba.org>
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | configure.ac | 27 |
2 files changed, 28 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index b412262..0d0b599 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,4 @@ -AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 +AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 $(PIE_CFLAGS) $(RELRO_CFLAGS) ACLOCAL_AMFLAGS = -I aclocal root_sbindir = $(ROOTSBINDIR) diff --git a/configure.ac b/configure.ac index 0dd1155..a8d0bbc 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,18 @@ AC_CONFIG_MACRO_DIR(aclocal) AM_INIT_AUTOMAKE # "enable" options +AC_ARG_ENABLE(pie, + [AC_HELP_STRING([--enable-pie], + [Produce position independent executables @<:@default=yes@:>@])], + enable_pie=$enableval, + enable_pie="maybe") + +AC_ARG_ENABLE(relro, + [AC_HELP_STRING([--enable-relro], + [Enable relocations read-only support @<:@default=yes@:>@])], + enable_relro=$enableval, + enable_relro="maybe") + AC_ARG_ENABLE(cifsupcall, [AC_HELP_STRING([--enable-cifsupcall], [Create cifs.upcall binary @<:@default=yes@:>@])], @@ -82,6 +94,21 @@ AC_CHECK_HEADERS([arpa/inet.h ctype.h fcntl.h inttypes.h limits.h mntent.h netdb AC_CHECK_HEADERS([sys/fsuid.h]) AC_CHECK_FUNC(setfsuid, , [AC_MSG_ERROR([System does not support setfsuid()])]) +# FIXME: add test(s) to autodisable these flags when compiler/linker don't support it +if test $enable_pie != "no"; then + PIE_CFLAGS="-fpie -pie" +else + PIE_CFLAGS="" +fi +AC_SUBST([PIE_CFLAGS]) + +if test $enable_relro != "no"; then + RELRO_CFLAGS="-Wl,-z,relro" +else + RELRO_CFLAGS="" +fi +AC_SUBST([RELRO_CFLAGS]) + if test $enable_cifsupcall != "no"; then AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) if test x$ac_cv_header_krb5_krb5_h != xyes ; then |