set hardened compiler/linker flags by default

2025-02-07 05:17:28 +00:00 · 2017-06-24 00:42:20 +08:00 · 2017-06-24 00:42:20 +08:00 · 521e63529c
commit 521e63529c
parent 24b446705b
1 changed files with 63 additions and 4 deletions
--- a/configure.ac
+++ b/configure.ac
@ -19,6 +19,7 @@ if test -z "$LD" ; then
 fi
 AC_SUBST(LD)	

+# set compile flags prior to other tests
 if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then
 	AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC)
 	CFLAGS="-Os -W -Wall -Wno-pointer-sign"
@ -29,12 +30,70 @@ OLDCFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -fno-strict-overflow"
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
    [AC_MSG_RESULT(yes)], 
-    [
-        AC_MSG_RESULT(no)
-        CFLAGS=$OLDCFLAGS
-    ]
+    [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
    )

+hardenbuild=1
+AC_ARG_ENABLE(harden,
+	[  --disable-harden          Don't set hardened build flags],
+	[
+		if test "x$enableval" = "xno"; then
+			hardenbuild=0
+			AC_MSG_NOTICE(Disabling hardened build flags)
+		fi
+	], [])
+
+if test "$hardenbuild" -eq 1; then
+	AC_MSG_NOTICE(Checking for available hardened build flags:)
+	# pie
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fPIE"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-pie"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+	    )
+	# readonly elf relocation sections (relro)
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+	    )
+	# stack protector. -strong is good but only in gcc 4.9 or later
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fstack-protector-strong"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [
+			CFLAGS="$OLDCFLAGS"
+			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+			CFLAGS="$CFLAGS $TESTFLAGS"
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+			    )
+	    ]
+	    )
+	# FORTIFY_SOURCE
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-D_FORTIFY_SOURCE=2"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+fi
+
 # large file support is useful for scp
 AC_SYS_LARGEFILE