From 168937e6c8d09d126458a4b698ce46f6e9560cf2 Mon Sep 17 00:00:00 2001 From: Brian Aker Date: Sat, 4 Aug 2012 21:21:30 -0400 Subject: [PATCH] Update how hardening is done. --- configure.ac | 22 ++--------- m4/ax_check_link_flag.m4 | 71 +++++++++++++++++++++++++++++++++ m4/ax_harden_compiler_flags.m4 | 72 ++++++++++++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 19 deletions(-) create mode 100644 m4/ax_check_link_flag.m4 create mode 100644 m4/ax_harden_compiler_flags.m4 diff --git a/configure.ac b/configure.ac index 7b6127a0..eeaccd82 100644 --- a/configure.ac +++ b/configure.ac @@ -80,17 +80,7 @@ AM_CONDITIONAL(BUILDING_GEARMAN, false) AC_SEARCH_LIBS(getopt_long, gnugetopt) AC_SEARCH_LIBS(gethostbyname, nsl) -case "$target_os" in - *linux*) - AS_IF([test "x$GCC" = "xyes"], - [ - LDFLAGS="$LDFLAGS -z relro -z now" - ]) - ;; - esac - dnl Specialty checks -AX_PTHREAD AX_CXX_CINTTYPES CONFIG_EXTRA DETECT_BYTEORDER @@ -103,6 +93,7 @@ PROTOCOL_BINARY_TEST ENABLE_DEPRECATED AC_CHECK_FUNCS([alarm]) +AC_CHECK_FUNCS([clock_gettime]) AC_CHECK_FUNCS([dup2]) AC_CHECK_FUNCS([getline]) AC_CHECK_FUNCS([gettimeofday]) @@ -295,15 +286,8 @@ fi AX_CHECK_SOCK_CLOEXEC([AC_DEFINE([HAVE_SOCK_CLOEXEC], [1], [Check for SOCK_CLOEXEC.])], [AC_DEFINE([HAVE_SOCK_CLOEXEC], [0], [Check for SOCK_CLOEXEC.])]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wall]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wextra]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wmaybe-uninitialized]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wsign-compare]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wunused-result]) -AX_APPEND_COMPILE_FLAGS([-Werror -Wunused-variable]) -AX_APPEND_COMPILE_FLAGS([-Werror -floop-parallelize-all]) -AX_APPEND_COMPILE_FLAGS([-Werror -fstack-protector-all]) -AX_APPEND_COMPILE_FLAGS([-Werror -ggdb]) +AX_HARDEN_COMPILER_FLAGS +AX_PTHREAD AC_CONFIG_FILES([ Makefile diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4 new file mode 100644 index 00000000..e2d0d363 --- /dev/null +++ b/m4/ax_check_link_flag.m4 @@ -0,0 +1,71 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the linker or gives an error. +# (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_CHECK_LINK_FLAG], +[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $4 $1" + AC_LINK_IFELSE([AC_LANG_PROGRAM()], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + LDFLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_LINK_FLAGS diff --git a/m4/ax_harden_compiler_flags.m4 b/m4/ax_harden_compiler_flags.m4 new file mode 100644 index 00000000..b8474321 --- /dev/null +++ b/m4/ax_harden_compiler_flags.m4 @@ -0,0 +1,72 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_HARDEN_COMPILER_FLAGS +# +# DESCRIPTION +# +# Any compiler flag that "hardens" or tests code. +# +# NOTE: Implementation based on AX_APPEND_FLAG. +# +# LICENSE +# +# Copyright (C) 2012 Brian Aker +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * The names of its contributors may not be used to endorse or +# promote products derived from this software without specific prior +# written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#serial 1 + +AC_DEFUN([AX_HARDEN_COMPILER_FLAGS], +[AC_REQUIRE([AX_CHECK_COMPILE_FLAG]) +AC_REQUIRE([AX_APPEND_FLAG]) +AC_REQUIRE([AX_CHECK_LINK_FLAG]) +AX_APPEND_COMPILE_FLAGS([-O2]) +AX_APPEND_COMPILE_FLAGS([-Werror]) +AX_APPEND_COMPILE_FLAGS([-Wall]) +AX_APPEND_COMPILE_FLAGS([-Wextra]) +AX_APPEND_COMPILE_FLAGS([-Wmaybe-uninitialized]) +AX_APPEND_COMPILE_FLAGS([-Wsign-compare]) +AX_APPEND_COMPILE_FLAGS([-Wunused-result]) +AX_APPEND_COMPILE_FLAGS([-Wunused-variable]) +AX_APPEND_COMPILE_FLAGS([-floop-parallelize-all]) +AX_APPEND_COMPILE_FLAGS([-fstack-protector-all]) +AX_APPEND_COMPILE_FLAGS([-ggdb]) +AX_APPEND_COMPILE_FLAGS([-fstack-protector-all]) +AX_APPEND_COMPILE_FLAGS([-Wstack-protector]) +AX_APPEND_COMPILE_FLAGS([-fwrapv]) +AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2]) +AX_APPEND_COMPILE_FLAGS([--param],[ssp-buffer-size=1]) +AX_CHECK_LINK_FLAG([-Werror]) +AX_CHECK_LINK_FLAG([-z relro -z now]) +])dnl AX_HARDEN_COMPILER_FLAGS -- 2.30.2