From: Aki Tuomi <cmouse@cmouse.fi>
Date: Sun, 14 Dec 2014 16:17:01 +0000 (+0200)
Subject: Check for PIE, RELRO and stack protector during configure
X-Git-Tag: rec-3.7.0-rc1~109^2~13^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f1ccad0d6555d06bf3c0e790de469a2680eba693;p=pdns

Check for PIE, RELRO and stack protector during configure
---

diff --git a/pdns/Makefile-recursor b/pdns/Makefile-recursor
index 782278330..8d77f12cc 100644
--- a/pdns/Makefile-recursor
+++ b/pdns/Makefile-recursor
@@ -3,12 +3,12 @@ SBINDIR=/usr/sbin/
 BINDIR=/usr/bin/
 SYSCONFDIR=/etc/powerdns/
 LOCALSTATEDIR=/var/run/
-OPTFLAGS?=-O3
+OPTFLAGS?=@CF_PIE@ @CF_FORTIFY@ @CF_STACK@ -O3
 CXXFLAGS:= $(CXXFLAGS) -Iext/rapidjson/include -I$(CURDIR)/ext/polarssl/include -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -pthread -Iext/yahttp
 CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -I$(CURDIR)/ext/polarssl/include -pthread
-LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread
+LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread @LD_RELRO@ @LD_PIE@
 STRIP_BINARIES?=1
-
+CXX?=g++
 LINKCC=$(CXX)
 CC?=gcc
 
@@ -29,7 +29,7 @@ rec-carbon.o secpoll-recursor.o
 REC_CONTROL_OBJECTS=rec_channel.o rec_control.o arguments.o misc.o \
 	unix_utility.o logger.o qtype.o
 
-# what we need 
+# what we need
 all: message version_generated.h build
 
 # OS specific instructions
@@ -51,9 +51,9 @@ ifeq ($(STATIC),semi)
 	STATICFLAGS=-Wl,-Bstatic -lstdc++ $(LUALIBS) -lgcc -Wl,-Bdynamic -static-libgcc -lm -lc -ldl
 	LINKCC=$(CC)
 	LDFLAGS += -lm
-else 
+else
    ifeq ($(STATIC),full)
-	STATICFLAGS=-lstdc++ $(LUALIBS) -ldl -lm -static 
+	STATICFLAGS=-lstdc++ $(LUALIBS) -ldl -lm -static
 	LINKCC=$(CC)
    else
 	LDFLAGS +=  $(LUALIBS)
@@ -83,15 +83,15 @@ version_generated.h:
 	echo '#define BUILD_HOST "$(build_host)"' >> $@
 	echo '#endif //!VERSION_GENERATED_H' >> $@
 
-message: 
+message:
 	@echo
 	@echo PLEASE READ: If you get an error mentioning \#include '<boost/something.hpp>', please read README
 	@echo PLEASE READ: for an easy fix!
-	@echo 
+	@echo
 
-basic_checks: 
+basic_checks:
 	@-rm -f pdns_hw
-	-$(CXX) $(CXXFLAGS)  pdns_hw.cc -o pdns_hw 
+	-$(CXX) $(CXXFLAGS)  pdns_hw.cc -o pdns_hw
 	@echo
 	@if test -x ./pdns_hw ; \
 		 then if ./pdns_hw; then echo Everything ok, now run $(MAKE) using same settings \(if any\) you passed ./configure; else echo Could compile binary, but not run it, read README please ; fi; \
@@ -115,7 +115,7 @@ endif
 	$(DESTDIR)/$(SBINDIR)/pdns_recursor --config > $(DESTDIR)/$(SYSCONFDIR)/recursor.conf-dist
 	-mkdir -p $(DESTDIR)/usr/share/man/man1
 	cp pdns_recursor.1 rec_control.1 $(DESTDIR)/usr/share/man/man1
-	$(OS_SPECIFIC_INSTALL)	
+	$(OS_SPECIFIC_INSTALL)
 
 clean: binclean
 	-rm -f dep *~ *.gcda *.gcno optional/*.gcda optional/*.gcno
@@ -131,7 +131,7 @@ dep:
 optional:
 	mkdir optional
 
-pdns_recursor: optional $(OPTIONALS) $(PDNS_RECURSOR_OBJECTS) 
+pdns_recursor: optional $(OPTIONALS) $(PDNS_RECURSOR_OBJECTS)
 	$(LINKCC) $(PDNS_RECURSOR_OBJECTS) $(wildcard optional/*.o) $(LDFLAGS) -o $@
 
 rec_control: $(REC_CONTROL_OBJECTS)
diff --git a/pdns/configure-recursor b/pdns/configure-recursor
index d69172d61..4adf6a51a 100755
--- a/pdns/configure-recursor
+++ b/pdns/configure-recursor
@@ -1,12 +1,85 @@
 #!/bin/sh
+
+set -e
+
+if [ "$CXX" = "" ]; then
+  CXX="g++"
+fi
+
+set -u
+
+LD_RELRO=""
+CF_PIE=""
+LD_PIE=""
+CF_FORTIFY=""
+CF_STACK=""
+
+test_flags() {
+  # test for relocation
+
+  relro=`$CXX -Wl,-help | grep -om1 -- '-z relro'`
+  now=`$CXX -Wl,-help | grep -om1 -- '-z now'`
+
+  if [ "$relro" = "-z relro" ]; then
+    export LD_RELRO="-Wl,-z -Wl,relro"
+    if [ "$now" = "-z now" ]; then
+      export LD_RELRO="$LD_RELRO -Wl,-z -Wl,now"
+    fi
+  fi
+
+  src=conftest.cc
+  cat >$src <<EOF
+int
+main ()
+{
+  return 0;
+}
+EOF
+
+  # test for PIE
+
+  if $CXX $src -c -o a.out -fPIE -fPIC -DPIE; then 
+    if $CXX -pie -o a2.out a.out; then 
+      export CF_PIE="-fPIE -fPIC -DPIE"
+      export LD_PIE="-pie"
+    fi
+    rm -f a2.out
+    rm -f a.out
+  fi
+
+  # test for fortified source
+  if $CXX $src -c -o a.out -O3 -D_FORTIFY_SOURCE=2; then
+    export CF_FORTIFY="-D_FORTIFY_SOURCE=2"
+    rm -f a.out
+  fi
+
+  # test for stack protector
+  if $CXX $src -c -o a.out -O3 -fstack-protector; then
+    export CF_STACK="-fstack-protector"
+    if $CXX $src -c -o a.out -O3 -fstack-protector --param ssp-buffer-size=4; then
+      export CF_STACK="$CF_STACK --param ssp-buffer-size=4"
+    fi
+    rm -f a.out
+  fi
+
+  rm -f $src
+}
+
 echo Testing dependencies and compiler.
 
+test_flags
+
+sed -e "s/@CF_PIE@/$CF_PIE/g" -e "s/@LD_PIE@/$LD_PIE/g" -e "s/@CF_FORTIFY@/$CF_FORTIFY/g"  -e "s/@CF_STACK@/$CF_STACK/g" -e "s/@LD_RELRO@/$LD_RELRO/g" < Makefile.in > Makefile
+
+set +e
 GMAKE=`which gmake`
+set -e
+
 if test -z "$GMAKE"
 then
-	make basic_checks
+    make basic_checks
 else
-	echo Using gmake to build
-	gmake basic_checks
+    echo Using gmake to build
+    gmake basic_checks
 fi
 
diff --git a/pdns/dist-recursor b/pdns/dist-recursor
index b61a03249..cfa5616a6 100755
--- a/pdns/dist-recursor
+++ b/pdns/dist-recursor
@@ -47,7 +47,7 @@ DIRNAME=pdns-recursor-$VERSION
 rm -rf $DIRNAME
 mkdir  $DIRNAME
 cp $INCLUDES $CFILES $DIRNAME
-cp Makefile-recursor $DIRNAME/Makefile
+cp Makefile-recursor $DIRNAME/Makefile.in
 cp README-recursor $DIRNAME/README
 cp ../COPYING ../NOTICE $DIRNAME/
 cp config-recursor.h $DIRNAME/config.h