From d6e5e9401939f41ba8fe1a10e723e669210dfb4e Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 15 Aug 2014 16:18:02 +0300 Subject: [PATCH] relro, stack-protector and pie compile flags --- configure.ac | 11 +++++- m4/pdns_pie.m4 | 35 +++++++++++++++++++ m4/pdns_relro.m4 | 35 +++++++++++++++++++ m4/pdns_stack_protector.m4 | 26 ++++++++++++++ m4/warnings.m4 | 70 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 176 insertions(+), 1 deletion(-) create mode 100644 m4/pdns_pie.m4 create mode 100644 m4/pdns_relro.m4 create mode 100644 m4/pdns_stack_protector.m4 create mode 100644 m4/warnings.m4 diff --git a/configure.ac b/configure.ac index c5c8ace5e..89f27d0bd 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability sub AM_SILENT_RULES([yes]) AC_CANONICAL_HOST -: ${CXXFLAGS="-Wall -O2"} +: ${CXXFLAGS="-Wall -O2 -D_FORTIY_SOURCE=2"} AC_PROG_CC AM_PROG_CC_C_O @@ -30,6 +30,9 @@ AS_IF([test "x$CXX" = "xno" || test "x$CXX:x$GXX" = "xg++:x"], AC_LANG([C++]) +AC_CC_PIE +AC_CC_STACK_PROTECTOR + AC_CHECK_FUNC([socket], [], [ AC_CHECK_LIB([socket], [socket], [LIBS="-lsocket $LIBS"]) ]) @@ -44,6 +47,8 @@ AC_PROG_LIBTOOL([disable-static]) LT_INIT([disable-static]) ]) +AC_LD_RELRO + MC_TM_GMTOFF AM_CONDITIONAL([RELEASE_BUILD], [test "$PACKAGE_VERSION" != "git"]) @@ -325,6 +330,10 @@ for a in $dynmodules; do moduledirs="$moduledirs ${a}backend" done +CFLAGS="$CFLAGS $PIE_CFLAGS" +CXXFLAGS="$CXXFLAGS $PIE_CFLAGS" +LDFLAGS="$LDFLAGS $RELRO_LDFLAGS" + AC_SUBST(LIBS) AC_SUBST([AM_CPPFLAGS], ['-I$(top_builddir) -I$(top_srcdir)']) diff --git a/m4/pdns_pie.m4 b/m4/pdns_pie.m4 new file mode 100644 index 000000000..df5e9c783 --- /dev/null +++ b/m4/pdns_pie.m4 @@ -0,0 +1,35 @@ +dnl +dnl Check for support for position independent executables +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl . +dnl + +AC_DEFUN([AC_CC_PIE],[ + PIE_CFLAGS= + PIE_LDFLAGS= + case "$host" in + *-*-mingw* | *-*-msvc* | *-*-cygwin* ) + ;; dnl All code is position independent on Win32 target + *) + gl_COMPILER_OPTION_IF([-fPIE -DPIE], [ + PIE_CFLAGS="-fPIE -DPIE" + PIE_LDFLAGS="-pie" + ]) + esac + AC_SUBST([PIE_CFLAGS]) + AC_SUBST([PIE_LDFLAGS]) +]) diff --git a/m4/pdns_relro.m4 b/m4/pdns_relro.m4 new file mode 100644 index 000000000..3b51bd3c7 --- /dev/null +++ b/m4/pdns_relro.m4 @@ -0,0 +1,35 @@ +dnl +dnl Check for -z now and -z relro linker flags +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl . +dnl + +AC_DEFUN([AC_LD_RELRO],[ + AC_MSG_CHECKING([for how to force completely read-only GOT table]) + + RELRO_LDFLAGS= + ld_help=`$LD --help 2>&1` + case $ld_help in + *"-z relro"*) RELRO_LDFLAGS="-Wl,-z -Wl,relro" ;; + esac + case $ld_help in + *"-z now"*) RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now" ;; + esac + AC_SUBST([RELRO_LDFLAGS]) + + AC_MSG_RESULT([$RELRO_LDFLAGS]) +]) diff --git a/m4/pdns_stack_protector.m4 b/m4/pdns_stack_protector.m4 new file mode 100644 index 000000000..4b7d26370 --- /dev/null +++ b/m4/pdns_stack_protector.m4 @@ -0,0 +1,26 @@ +dnl +dnl Check for support for position independent executables +dnl +dnl Copyright (C) 2013 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl . +dnl + +AC_DEFUN([AC_CC_STACK_PROTECTOR],[ + gl_COMPILER_OPTION_IF([-fstack-protector], [ + CFLAGS="$CFLAGS -fstack-protector" + CXXFLAGS="$CXXFLAGS -fstack-protector" + ]) +]) diff --git a/m4/warnings.m4 b/m4/warnings.m4 new file mode 100644 index 000000000..184873283 --- /dev/null +++ b/m4/warnings.m4 @@ -0,0 +1,70 @@ +# warnings.m4 serial 8 +dnl Copyright (C) 2008-2013 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Simon Josefsson + +# gl_AS_VAR_APPEND(VAR, VALUE) +# ---------------------------- +# Provide the functionality of AS_VAR_APPEND if Autoconf does not have it. +m4_ifdef([AS_VAR_APPEND], +[m4_copy([AS_VAR_APPEND], [gl_AS_VAR_APPEND])], +[m4_define([gl_AS_VAR_APPEND], +[AS_VAR_SET([$1], [AS_VAR_GET([$1])$2])])]) + + +# gl_COMPILER_OPTION_IF(OPTION, [IF-SUPPORTED], [IF-NOT-SUPPORTED], +# [PROGRAM = AC_LANG_PROGRAM()]) +# ----------------------------------------------------------------- +# Check if the compiler supports OPTION when compiling PROGRAM. +# +# FIXME: gl_Warn must be used unquoted until we can assume Autoconf +# 2.64 or newer. +AC_DEFUN([gl_COMPILER_OPTION_IF], +[AS_VAR_PUSHDEF([gl_Warn], [gl_cv_warn_[]_AC_LANG_ABBREV[]_$1])dnl +AS_VAR_PUSHDEF([gl_Flags], [_AC_LANG_PREFIX[]FLAGS])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler handles $1], m4_defn([gl_Warn]), [ + gl_save_compiler_FLAGS="$gl_Flags" + gl_AS_VAR_APPEND(m4_defn([gl_Flags]), [" $gl_unknown_warnings_are_errors $1"]) + AC_COMPILE_IFELSE([m4_default([$4], [AC_LANG_PROGRAM([])])], + [AS_VAR_SET(gl_Warn, [yes])], + [AS_VAR_SET(gl_Warn, [no])]) + gl_Flags="$gl_save_compiler_FLAGS" +]) +AS_VAR_IF(gl_Warn, [yes], [$2], [$3]) +AS_VAR_POPDEF([gl_Flags])dnl +AS_VAR_POPDEF([gl_Warn])dnl +]) + +# gl_UNKNOWN_WARNINGS_ARE_ERRORS +# ------------------------------ +# Clang doesn't complain about unknown warning options unless one also +# specifies -Wunknown-warning-option -Werror. Detect this. +AC_DEFUN([gl_UNKNOWN_WARNINGS_ARE_ERRORS], +[gl_COMPILER_OPTION_IF([-Werror -Wunknown-warning-option], + [gl_unknown_warnings_are_errors='-Wunknown-warning-option -Werror'], + [gl_unknown_warnings_are_errors=])]) + +# gl_WARN_ADD(OPTION, [VARIABLE = WARN_CFLAGS], +# [PROGRAM = AC_LANG_PROGRAM()]) +# --------------------------------------------- +# Adds parameter to WARN_CFLAGS if the compiler supports it when +# compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]). +# +# If VARIABLE is a variable name, AC_SUBST it. +AC_DEFUN([gl_WARN_ADD], +[AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS]) +gl_COMPILER_OPTION_IF([$1], + [gl_AS_VAR_APPEND(m4_if([$2], [], [[WARN_CFLAGS]], [[$2]]), [" $1"])], + [], + [$3]) +m4_ifval([$2], + [AS_LITERAL_IF([$2], [AC_SUBST([$2])])], + [AC_SUBST([WARN_CFLAGS])])dnl +]) + +# Local Variables: +# mode: autoconf +# End: -- 2.40.0