From: Craig Small <csmall@enc.com.au>
Date: Mon, 25 Apr 2016 07:07:22 +0000 (+1000)
Subject: build-sys: Enable optional hardening flags
X-Git-Tag: v4.0.0~939
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9c877bf636401faec1df5934eb69a3775077be4d;p=procps-ng

build-sys: Enable optional hardening flags

With the configure option --enable-harden-flags the CFLAGS and
LDFLAGS are manipulated to provide some hardening protection
to the binaries.

psmisc uses these flags on by default with no troubles, however
it doesn't have a library in it either.

References:
  https://wiki.debian.org/Hardening
---

diff --git a/Makefile.am b/Makefile.am
index 77e34f34..07091a6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,10 @@ AM_CPPFLAGS = \
 	-include $(top_builddir)/config.h \
 	-I$(top_srcdir) \
 	-I$(top_srcdir)/include \
-	-DLOCALEDIR=\"$(localedir)\"
+	-DLOCALEDIR=\"$(localedir)\" \
+	@HARDEN_CFLAGS@
+
+AM_LDFLAGS = @HARDEN_LDFLAGS@
 
 PACKAGE_VERSION = @PACKAGE_VERSION@
 
diff --git a/configure.ac b/configure.ac
index 32d0f728..71906507 100644
--- a/configure.ac
+++ b/configure.ac
@@ -116,6 +116,29 @@ if test "$enable_libselinux" = "yes"; then
   AC_DEFINE([ENABLE_LIBSELINUX], [1], [Enable libselinux])
 fi
 
+# Enable hardened compile and link flags
+AC_ARG_ENABLE([harden_flags],
+  [AS_HELP_STRING([--enable-harden-flags], [enable hardened compilier and linker flags])],
+  [enable_harden_flags=$enableval],
+  [enable_harden_flags="no"])
+
+# Check that harden CFLAGS and LDFLAGS will compile
+AS_IF([test "$enable_harden_flags" = "yes"],
+  HARDEN_CFLAGS="-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security"
+  [HARDEN_LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now"]
+  [ AC_MSG_CHECKING([compiler supports harden flags])
+  save_harden_cflags="$CFLAGS"
+  CFLAGS="$CFLAGS $HARDEN_CFLAGS"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM(,,)],
+      [AC_MSG_RESULT([yes])],
+     [AC_MSG_RESULT([no]); HARDEN_CFLAGS='']
+    )
+  CFLAGS="$save_harden_cflags"],
+  [HARDEN_CFLAGS=""
+   HARDEN_LDFLAGS=""])
+AC_SUBST([HARDEN_CFLAGS])
+AC_SUBST([HARDEN_LDFLAGS])
+
 # Optional packages - AC_ARG_WITH
 AC_ARG_WITH([ncurses],
   AS_HELP_STRING([--without-ncurses], [build only applications not needing ncurses]),