From: Craig Small Date: Fri, 27 Jan 2012 02:11:25 +0000 (+1100) Subject: Added hardened CFLAGS X-Git-Tag: v22.16~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9e046f6ee45c5ec3eb55f2a65e189c1622a02537;p=psmisc Added hardened CFLAGS Debian and Ubuntu (at the least) have some CFLAGS that harden the binary for some typical attacks. psmisc now will have these flags on by default but checks the compilier supports them. --- diff --git a/ChangeLog b/ChangeLog index c36ba90..cf95c4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +Changes in 22.16 +================ + * Use strncpy for COMM_LEN and make it 18 characters to cover brackets + in name. + * Enable some harden AM_CFLAGS by default, use configure option + --disable-harden-flags to not use it. + Changes in 22.15 ================ * Really apply patch for SF#31110178 RH#651794, SF#3317431 diff --git a/configure.ac b/configure.ac index 7b0b42b..e7e86fb 100644 --- a/configure.ac +++ b/configure.ac @@ -1,10 +1,11 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([psmisc],[22.15]) +AC_INIT([psmisc],[22.16]) AC_CONFIG_SRCDIR([src/comm.h]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([1.10]) +AC_LANG([C]) dnl Checks for programs. AC_PROG_CC @@ -12,6 +13,7 @@ AC_PROG_MAKE_SET AC_PROG_LN_S dnl checks for options +# SELinux support - off by default AC_SUBST([WITH_SELINUX]) AC_ARG_ENABLE([selinux], [AS_HELP_STRING([--enable-selinux], [Enable Security-Enhanced Linux features])], @@ -24,7 +26,7 @@ if test "$enable_selinux" = "yes"; then fi AC_SUBST([SELINUX_LIB]) -dnl Call fork before all stat calls to stop hanging on NFS mounts +# Call fork before all stat calls to stop hanging on NFS mounts AC_SUBST([WITH_TIMEOUT_STAT]) AC_ARG_ENABLE([timeout_stat], [AS_HELP_STRING([--enable-timeout-stat], [Use a timeout on stat calls])], @@ -34,6 +36,12 @@ if test "$enable_timeout_stat" = "yes"; then AC_DEFINE([WITH_TIMEOUT_STAT], [1], [Use timeout on stat calls]) fi +# Enable hardened compile and link flags +AC_ARG_ENABLE([harden_flags], + [AS_HELP_STRING([--disable-harden-flags], [disable hardened compilier and linker flags])], + [enable_harden_flags=$enableval], + [enable_harden_flags="yes"]) + dnl ipv4 only option AC_SUBST([WITH_IPV6]) AC_ARG_ENABLE([ipv6], @@ -67,6 +75,20 @@ AC_TYPE_SIZE_T AC_CHECK_MEMBERS([struct stat.st_rdev]) AC_TYPE_UID_T +# Check that harden CFLAGS will compile +AS_IF([test "$enable_harden_flags" = "yes"], + HARDEN_CFLAGS="-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security" + [ AC_MSG_CHECKING([compiler supports harden flags]) + save_harden_cflags="$CFLAGS" + CFLAGS="$CFLAGS $HARDEN_CFLAGS" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM(,,)], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]); HARDEN_CFLAGS=''] + ) + CFLAGS="$save_harden_cflags"], + [HARDEN_CFLAGS=""]) +AC_SUBST([HARDEN_CFLAGS]) + dnl Check for language stuff AM_GNU_GETTEXT_VERSION([0.16.1]) AM_GNU_GETTEXT([external]) diff --git a/src/Makefile.am b/src/Makefile.am index 4398631..d511f24 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS = -Wall -DLOCALEDIR=\"/usr/share/locale\" +AM_CFLAGS = -Wall -DLOCALEDIR=\"/usr/share/locale\" @HARDEN_CFLAGS@ bin_PROGRAMS = fuser killall pstree prtstat if WANT_PEEKFD_I386