]> granicus.if.org Git - procps-ng/commitdiff
projects / procps-ng / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1e6452f)
build-sys: Enable optional hardening flags
authorCraig Small <csmall@enc.com.au>
Mon, 25 Apr 2016 07:07:22 +0000 (17:07 +1000)
committerCraig Small <csmall@enc.com.au>
Mon, 25 Apr 2016 07:07:22 +0000 (17:07 +1000)
With the configure option --enable-harden-flags the CFLAGS and
LDFLAGS are manipulated to provide some hardening protection
to the binaries.

psmisc uses these flags on by default with no troubles, however
it doesn't have a library in it either.

References:
  https://wiki.debian.org/Hardening

Makefile.am patch | blob | history
configure.ac patch | blob | history

diff --git a/Makefile.am b/Makefile.am
index 77e34f34b39ef8ac7ca25ea80f2f2ef9f4ebb250..07091a6aa13229fec91e762f79e52e282ce66ce9 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,10 @@ AM_CPPFLAGS = \
        -include $(top_builddir)/config.h \
        -I$(top_srcdir) \
        -I$(top_srcdir)/include \
-       -DLOCALEDIR=\"$(localedir)\"
+       -DLOCALEDIR=\"$(localedir)\" \
+       @HARDEN_CFLAGS@
+
+AM_LDFLAGS = @HARDEN_LDFLAGS@
 
 PACKAGE_VERSION = @PACKAGE_VERSION@
 
diff --git a/configure.ac b/configure.ac
index 32d0f728efccf39ecda9f6236c5ac0f9ad7817ab..71906507c15d88e121bfd316cc4106d2cafdde35 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,29 @@ if test "$enable_libselinux" = "yes"; then
   AC_DEFINE([ENABLE_LIBSELINUX], [1], [Enable libselinux])
 fi
 
+# Enable hardened compile and link flags
+AC_ARG_ENABLE([harden_flags],
+  [AS_HELP_STRING([--enable-harden-flags], [enable hardened compilier and linker flags])],
+  [enable_harden_flags=$enableval],
+  [enable_harden_flags="no"])
+
+# Check that harden CFLAGS and LDFLAGS will compile
+AS_IF([test "$enable_harden_flags" = "yes"],
+  HARDEN_CFLAGS="-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security"
+  [HARDEN_LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now"]
+  [ AC_MSG_CHECKING([compiler supports harden flags])
+  save_harden_cflags="$CFLAGS"
+  CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM(,,)],
+      [AC_MSG_RESULT([yes])],
+     [AC_MSG_RESULT([no]); HARDEN_CFLAGS='']
+    )
+  CFLAGS="$save_harden_cflags"],
+  [HARDEN_CFLAGS=""
+   HARDEN_LDFLAGS=""])
+AC_SUBST([HARDEN_CFLAGS])
+AC_SUBST([HARDEN_LDFLAGS])
+
 # Optional packages - AC_ARG_WITH
 AC_ARG_WITH([ncurses],
   AS_HELP_STRING([--without-ncurses], [build only applications not needing ncurses]),
Unnamed repository; edit this file 'description' to name the repository.