ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-11 23:23:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

set hardened compiler/linker flags by default

Browse Source
This commit is contained in:
Matt Johnston 2017-06-24 00:42:20 +08:00
parent 24b446705b
commit 521e63529c
1 changed files with 63 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
configure.ac
View File

@ -19,6 +19,7 @@ if test -z "$LD" ; then
fi fi
AC_SUBST(LD) AC_SUBST(LD)
# set compile flags prior to other tests
if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then
AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC) AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC)
CFLAGS="-Os -W -Wall -Wno-pointer-sign" CFLAGS="-Os -W -Wall -Wno-pointer-sign"
@ -29,12 +30,70 @@ OLDCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fno-strict-overflow" CFLAGS="$CFLAGS -fno-strict-overflow"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_RESULT(yes)], [AC_MSG_RESULT(yes)],
[ [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
AC_MSG_RESULT(no)
CFLAGS=$OLDCFLAGS
]
) )
hardenbuild=1
AC_ARG_ENABLE(harden,
[ --disable-harden Don't set hardened build flags],
[
if test "x$enableval" = "xno"; then
hardenbuild=0
AC_MSG_NOTICE(Disabling hardened build flags)
fi
], [])
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
# pie
OLDCFLAGS="$CFLAGS"
TESTFLAGS="-fPIE"
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
)
OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-pie"
LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
)
# readonly elf relocation sections (relro)
OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
)
# stack protector. -strong is good but only in gcc 4.9 or later
OLDCFLAGS="$CFLAGS"
TESTFLAGS="-fstack-protector-strong"
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[
CFLAGS="$OLDCFLAGS"
TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
)
]
)
# FORTIFY_SOURCE
OLDCFLAGS="$CFLAGS"
TESTFLAGS="-D_FORTIFY_SOURCE=2"
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
)
fi
# large file support is useful for scp # large file support is useful for scp
AC_SYS_LARGEFILE AC_SYS_LARGEFILE