From 50aacca4b3ee54fbcf7f0903b7b99d2d28eac237 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 22 May 2012 13:26:38 -0400 Subject: [PATCH] Build with -fstack-protector and link with -zrelo where supported. Added --disable-hardening option to disable hardening options. --HG-- branch : 1.7 --- INSTALL | 6 ++ aclocal.m4 | 5 ++ configure | 133 ++++++++++++++++++++++++++++++++++-- configure.in | 27 ++++++-- m4/ax_check_compile_flag.m4 | 72 +++++++++++++++++++ m4/ax_check_link_flag.m4 | 71 +++++++++++++++++++ 6 files changed, 303 insertions(+), 11 deletions(-) create mode 100644 m4/ax_check_compile_flag.m4 create mode 100644 m4/ax_check_link_flag.m4 diff --git a/INSTALL b/INSTALL index 0c2637762..3f653ff94 100644 --- a/INSTALL +++ b/INSTALL @@ -636,6 +636,12 @@ The following options are also configurable at runtime: --enable-werror Enable the -Werror compiler option when building sudo with gcc. + --disable-hardening + Disable the use of compiler/linker exploit mitigation options + which are enabled by default. This includes compiling with + _FORTIFY_SOURCE defined to 2, building with -fstack-protector + and linking with -zrelro, where supported. + --enable-admin-flag Enable the creation of an Ubuntu-style admin flag file the first time sudo is run. diff --git a/aclocal.m4 b/aclocal.m4 index 387c44523..eddc1ce00 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -349,3 +349,8 @@ m4_include([ltoptions.m4]) m4_include([ltsugar.m4]) m4_include([ltversion.m4]) m4_include([lt~obsolete.m4]) +dnl +dnl Pull in other non-standard macros +dnl +m4_include([ax_check_compile_flag.m4]) +m4_include([ax_check_link_flag.m4]) diff --git a/configure b/configure index 412e708e5..8bf95e618 100755 --- a/configure +++ b/configure @@ -863,6 +863,7 @@ enable_env_debug enable_env_reset enable_warnings enable_werror +enable_hardening enable_admin_flag with_selinux enable_gss_krb5_ccache_name @@ -1523,6 +1524,8 @@ Optional Features: --enable-env-reset Whether to enable environment resetting by default. --enable-warnings Whether to enable compiler warnings --enable-werror Whether to enable the -Werror compiler option + --disable-hardening Do not use compiler/linker exploit mitigation + options --enable-admin-flag Whether to create a Ubuntu-style admin flag file --enable-gss-krb5-ccache-name Use GSS-API to set the Kerberos V cred cache name @@ -5543,6 +5546,14 @@ $as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-werror: $enable fi +# Check whether --enable-hardening was given. +if test "${enable_hardening+set}" = set; then : + enableval=$enable_hardening; +else + enable_hardening=yes +fi + + # Check whether --enable-admin-flag was given. if test "${enable_admin_flag+set}" = set; then : enableval=$enable_admin_flag; case "$enableval" in @@ -14541,6 +14552,116 @@ $as_echo "#define volatile /**/" >>confdefs.h fi +if test "$enable_hardening" != "no"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5 +$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; } +if ${ax_cv_check_cflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fstack_protector=yes +else + ax_cv_check_cflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; } +if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then : + CFLAGS="${CFLAGS} -fstack-protector" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5 +$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; } +if ${ax_cv_check_ldflags___fstack_protector+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -fstack-protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___fstack_protector=yes +else + ax_cv_check_ldflags___fstack_protector=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5 +$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } +if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : + LDFLAGS="${LDFLAGS} -fstack-protector" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,z,relro" >&5 +$as_echo_n "checking whether the linker accepts -Wl,z,relro... " >&6; } +if ${ax_cv_check_ldflags___Wl_z_relro+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl_z_relro=yes +else + ax_cv_check_ldflags___Wl_z_relro=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl_z_relro" >&5 +$as_echo "$ax_cv_check_ldflags___Wl_z_relro" >&6; } +if test x"$ax_cv_check_ldflags___Wl_z_relro" = xyes; then : + LDFLAGS="${LDFLAGS} -Wl,z,relro" +else + : +fi + +fi + for ac_prog in 'bison -y' byacc do # Extract the first word of "$ac_prog", so it can be a program name with args. @@ -16144,12 +16265,13 @@ fi fi done -O_CPPFLAGS="$CPPFLAGS" -CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" -ac_fn_c_check_func "$LINENO" "__sprintf_chk" "ac_cv_func___sprintf_chk" +if test "$enable_hardening" != "no"; then + O_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + ac_fn_c_check_func "$LINENO" "__sprintf_chk" "ac_cv_func___sprintf_chk" if test "x$ac_cv_func___sprintf_chk" = xyes; then : - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -16168,7 +16290,8 @@ rm -f core conftest.err conftest.$ac_objext \ fi -CPPFLAGS="$O_CPPFLAGS" + CPPFLAGS="$O_CPPFLAGS" +fi for ac_func in getutxid getutid do : diff --git a/configure.in b/configure.in index bacbebc25..56799bd50 100644 --- a/configure.in +++ b/configure.in @@ -1306,6 +1306,10 @@ AC_ARG_ENABLE(werror, esac ]) +AC_ARG_ENABLE(hardening, +[AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])], +[], [enable_hardening=yes]) + AC_ARG_ENABLE(admin-flag, [AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])], [ case "$enableval" in @@ -1900,6 +1904,15 @@ dnl AC_PROG_GCC_TRADITIONAL AC_C_CONST AC_C_VOLATILE +dnl +dnl Check for -fstack-protector and -z relro support +dnl +if test "$enable_hardening" != "no"; then + AX_CHECK_COMPILE_FLAG([-fstack-protector], [CFLAGS="${CFLAGS} -fstack-protector"]) + AX_CHECK_LINK_FLAG([-fstack-protector], [LDFLAGS="${LDFLAGS} -fstack-protector"]) + AX_CHECK_LINK_FLAG([-Wl,z,relro], [LDFLAGS="${LDFLAGS} -Wl,z,relro"]) +fi + dnl dnl Program checks dnl @@ -2024,12 +2037,14 @@ AC_CHECK_FUNCS(setsid, [], [ dnl dnl If libc supports _FORTIFY_SOURCE check functions, use it. dnl -O_CPPFLAGS="$CPPFLAGS" -CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" -AC_CHECK_FUNC(__sprintf_chk, [ - AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], []) -], []) -CPPFLAGS="$O_CPPFLAGS" +if test "$enable_hardening" != "no"; then + O_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + AC_CHECK_FUNC(__sprintf_chk, [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], []) + ], []) + CPPFLAGS="$O_CPPFLAGS" +fi AC_CHECK_FUNCS(getutxid getutid, [break]) diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 new file mode 100644 index 000000000..c3a8d695a --- /dev/null +++ b/m4/ax_check_compile_flag.m4 @@ -0,0 +1,72 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4 new file mode 100644 index 000000000..e2d0d363e --- /dev/null +++ b/m4/ax_check_link_flag.m4 @@ -0,0 +1,71 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the linker or gives an error. +# (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_CHECK_LINK_FLAG], +[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $4 $1" + AC_LINK_IFELSE([AC_LANG_PROGRAM()], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + LDFLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_LINK_FLAGS -- 2.40.0