From: Marcela Mašláňová <mmaslano@redhat.com>
Date: Thu, 17 Feb 2011 14:08:58 +0000 (+0100)
Subject: PIE and RELRO flags to be set
X-Git-Tag: cronie1.4.7~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=247ac8b81534ecf27e38b55a2240cea2434b28fc;p=cronie

PIE and RELRO flags to be set

We want all long running daemons to have PIE and RELRO flags set. This is a
missing security mechanism. Fixing this generally involves adding -fPIE -DPIE
to the CFLAGS, and -pie -Wl,-z,relro -Wl,-z,now  to the LDFLAGS.
Expected results:
PIE and partial RELRO at a minimum.
---

diff --git a/configure.ac b/configure.ac
index 4e67ade..1af3496 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,9 +120,9 @@ AC_ARG_ENABLE(pie,CRONIE_HELP_STRING(--enable-pie,Build cronie as a Position Ind
 if test "x$enable_pie" = xyes; then
     save_CFLAGS="$CFLAGS"
     save_LDFLAGS="$LDFLAGS"
-    CFLAGS="$CFLAGS -fpie"
-    LDFLAGS="$LDFLAGS -pie -fpie"
-    AC_CACHE_CHECK([whether compiler accepts -pie -fpie], ac_cv_pie_fpie,
+    CFLAGS="$CFLAGS -fPIE -DPIE"
+    LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
+    AC_CACHE_CHECK([whether compiler accepts -pie & relro], ac_cv_pie_fpie,
     [AC_TRY_LINK([], [],
     ac_cv_pie_fpie=yes, ac_cv_pie_fpie=no)])
     if test $ac_cv_pie_fpie = no; then