PIE and RELRO flags to be set

We want all long running daemons to have PIE and RELRO flags set. This is a
missing security mechanism. Fixing this generally involves adding -fPIE -DPIE
to the CFLAGS, and -pie -Wl,-z,relro -Wl,-z,now  to the LDFLAGS.
Expected results:
PIE and partial RELRO at a minimum.

diff --git a/configure.ac b/configure.ac
index 4e67ade6c8c0e4969c9eb0e723781bcbd9fbb3d4..1af34965273984c79d17b5574e99ec07b14620ec 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -120,9 +120,9 @@ AC_ARG_ENABLE(pie,CRONIE_HELP_STRING(--enable-pie,Build cronie as a Position Ind
 if test "x$enable_pie" = xyes; then
     save_CFLAGS="$CFLAGS"
     save_LDFLAGS="$LDFLAGS"
-    CFLAGS="$CFLAGS -fpie"
-    LDFLAGS="$LDFLAGS -pie -fpie"
-    AC_CACHE_CHECK([whether compiler accepts -pie -fpie], ac_cv_pie_fpie,
+    CFLAGS="$CFLAGS -fPIE -DPIE"
+    LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
+    AC_CACHE_CHECK([whether compiler accepts -pie & relro], ac_cv_pie_fpie,
     [AC_TRY_LINK([], [],
     ac_cv_pie_fpie=yes, ac_cv_pie_fpie=no)])
     if test $ac_cv_pie_fpie = no; then