From bfb7cc84614202b474db8a962b99a7d0b16d7d31 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 4 Nov 2015 16:17:15 +0100 Subject: [PATCH] Add the same hardening options to dnsdist. PIE, full read-only relocation, stack and buffer overflow protections are present for pdns, add them to dnsdist as well. --- pdns/dnsdistdist/Makefile.am | 1 + pdns/dnsdistdist/configure.ac | 25 +++++++++++++++++++ pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 | 1 + .../m4/pdns_param_ssp_buffer_size.m4 | 1 + pdns/dnsdistdist/m4/pdns_pie.m4 | 1 + pdns/dnsdistdist/m4/pdns_relro.m4 | 1 + pdns/dnsdistdist/m4/pdns_stack_protector.m4 | 1 + pdns/dnsdistdist/m4/warnings.m4 | 1 + 8 files changed, 32 insertions(+) create mode 120000 pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 create mode 120000 pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 create mode 120000 pdns/dnsdistdist/m4/pdns_pie.m4 create mode 120000 pdns/dnsdistdist/m4/pdns_relro.m4 create mode 120000 pdns/dnsdistdist/m4/pdns_stack_protector.m4 create mode 120000 pdns/dnsdistdist/m4/warnings.m4 diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index eba8d7af0..75c9b3b55 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -59,6 +59,7 @@ dnsdist_SOURCES = \ dnsdist_LDFLAGS = \ $(AM_LDFLAGS) \ + $(PROGRAM_LDFLAGS) \ -pthread dnsdist_LDADD = \ diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac index dd2973804..93b3b262a 100644 --- a/pdns/dnsdistdist/configure.ac +++ b/pdns/dnsdistdist/configure.ac @@ -17,6 +17,31 @@ DNSDIST_LUA AX_CXX_COMPILE_STDCXX_11(ext,mandatory) AC_DEFINE([HAVE_MBEDTLS2], [1], [Defined if mbed TLS version 2.x.x is used]) +AC_MSG_CHECKING([whether we will enable compiler security checks]) +AC_ARG_ENABLE([hardening], + [AS_HELP_STRING([--disable-hardening],[disable compiler security checks @<:@default=no@:>@])], + [enable_hardening=$enableval], + [enable_hardening=yes] +) +AC_MSG_RESULT([$enable_hardening]) + +AS_IF([test "x$enable_hardening" != "xno"], [ + AC_CC_PIE + AC_CC_STACK_PROTECTOR + AC_CC_PARAM_SSP_BUFFER_SIZE([4]) + AC_CC_D_FORTIFY_SOURCE + AC_LD_RELRO +]) + +LDFLAGS="$RELRO_LDFLAGS $LDFLAGS" + +AS_IF([test "x$static" != "xyes"], [ + CFLAGS="$PIE_CFLAGS $CFLAGS" + CXXFLAGS="$PIE_CFLAGS $CXXFLAGS" + PROGRAM_LDFLAGS="$PIE_LDFLAGS $PROGRAM_LDFLAGS" +]) +AC_SUBST([PROGRAM_LDFLAGS]) + AC_CONFIG_FILES([Makefile ext/yahttp/Makefile ext/yahttp/yahttp/Makefile]) diff --git a/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 b/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 new file mode 120000 index 000000000..8aa713e9a --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 @@ -0,0 +1 @@ +../../../m4/pdns_d_fortify_source.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 b/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 new file mode 120000 index 000000000..4058fe202 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 @@ -0,0 +1 @@ +../../../m4/pdns_param_ssp_buffer_size.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_pie.m4 b/pdns/dnsdistdist/m4/pdns_pie.m4 new file mode 120000 index 000000000..18120c0f5 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_pie.m4 @@ -0,0 +1 @@ +../../../m4/pdns_pie.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_relro.m4 b/pdns/dnsdistdist/m4/pdns_relro.m4 new file mode 120000 index 000000000..1f591df4e --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_relro.m4 @@ -0,0 +1 @@ +../../../m4/pdns_relro.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_stack_protector.m4 b/pdns/dnsdistdist/m4/pdns_stack_protector.m4 new file mode 120000 index 000000000..ba05f6618 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_stack_protector.m4 @@ -0,0 +1 @@ +../../../m4/pdns_stack_protector.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/warnings.m4 b/pdns/dnsdistdist/m4/warnings.m4 new file mode 120000 index 000000000..ec2d33fa9 --- /dev/null +++ b/pdns/dnsdistdist/m4/warnings.m4 @@ -0,0 +1 @@ +../../../m4/warnings.m4 \ No newline at end of file -- 2.40.0