Added hardened CFLAGS

Debian and Ubuntu (at the least) have some CFLAGS that harden the binary
for some typical attacks. psmisc now will have these flags on by default
but checks the compilier supports them.

diff --git a/ChangeLog b/ChangeLog
index c36ba9032486a267a8fe45460d2f0f27f73e2011..cf95c4b1804eb097931c45674236add270dce21c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Changes in 22.16
+================
+       * Use strncpy for COMM_LEN and make it 18 characters to cover brackets
+         in name.
+       * Enable some harden AM_CFLAGS by default, use configure option
+         --disable-harden-flags to not use it.
+
 Changes in 22.15
 ================
        * Really apply patch for SF#31110178 RH#651794, SF#3317431

diff --git a/configure.ac b/configure.ac
index 7b0b42bd62cf2e53ebce8714ac4d315707619197..e7e86fb68629175657ab89b69967b2a14192bdf6 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1,10 +1,11 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.61)
-AC_INIT([psmisc],[22.15])
+AC_INIT([psmisc],[22.16])
 AC_CONFIG_SRCDIR([src/comm.h])
 AC_CONFIG_HEADER([config.h])
 AC_CONFIG_AUX_DIR([config])
 AM_INIT_AUTOMAKE([1.10])
+AC_LANG([C])
 
 dnl Checks for programs.
 AC_PROG_CC
@@ -12,6 +13,7 @@ AC_PROG_MAKE_SET
 AC_PROG_LN_S
 
 dnl checks for options
+# SELinux support - off by default
 AC_SUBST([WITH_SELINUX])
 AC_ARG_ENABLE([selinux],
   [AS_HELP_STRING([--enable-selinux], [Enable Security-Enhanced Linux features])],
@@ -24,7 +26,7 @@ if test "$enable_selinux" = "yes"; then
 fi
 AC_SUBST([SELINUX_LIB])
 
-dnl Call fork before all stat calls to stop hanging on NFS mounts
+# Call fork before all stat calls to stop hanging on NFS mounts
 AC_SUBST([WITH_TIMEOUT_STAT])
 AC_ARG_ENABLE([timeout_stat],
   [AS_HELP_STRING([--enable-timeout-stat], [Use a timeout on stat calls])],
@@ -34,6 +36,12 @@ if test "$enable_timeout_stat" = "yes"; then
   AC_DEFINE([WITH_TIMEOUT_STAT], [1], [Use timeout on stat calls])
 fi
 
+# Enable hardened compile and link flags
+AC_ARG_ENABLE([harden_flags],
+  [AS_HELP_STRING([--disable-harden-flags], [disable hardened compilier and linker flags])],
+  [enable_harden_flags=$enableval],
+  [enable_harden_flags="yes"])
+
 dnl ipv4 only option
 AC_SUBST([WITH_IPV6])
 AC_ARG_ENABLE([ipv6],
@@ -67,6 +75,20 @@ AC_TYPE_SIZE_T
 AC_CHECK_MEMBERS([struct stat.st_rdev])
 AC_TYPE_UID_T
 
+# Check that harden CFLAGS will compile
+AS_IF([test "$enable_harden_flags" = "yes"],
+  HARDEN_CFLAGS="-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security"
+  [ AC_MSG_CHECKING([compiler supports harden flags])
+  save_harden_cflags="$CFLAGS"
+  CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM(,,)],
+      [AC_MSG_RESULT([yes])],
+     [AC_MSG_RESULT([no]); HARDEN_CFLAGS='']
+    )
+  CFLAGS="$save_harden_cflags"],
+  [HARDEN_CFLAGS=""])
+AC_SUBST([HARDEN_CFLAGS])
+
 dnl Check for language stuff
 AM_GNU_GETTEXT_VERSION([0.16.1])
 AM_GNU_GETTEXT([external])

diff --git a/src/Makefile.am b/src/Makefile.am
index 43986317781b19c4c02dc3b659d1b2b27128477a..d511f242895681fa27e6f0af133863ac7744f584 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,5 +1,5 @@
 
-AM_CFLAGS = -Wall -DLOCALEDIR=\"/usr/share/locale\"
+AM_CFLAGS = -Wall -DLOCALEDIR=\"/usr/share/locale\" @HARDEN_CFLAGS@
 
 bin_PROGRAMS = fuser killall pstree prtstat
 if WANT_PEEKFD_I386