summaryrefslogtreecommitdiffhomepage
path: root/configure.ac
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2017-06-24 00:42:20 +0800
committerMatt Johnston <matt@ucc.asn.au>2017-06-24 00:42:20 +0800
commit521e63529c42513c06a8caa27ef22e93a63e9c38 (patch)
tree38aab6a8b5933a697197317a00e5c40ee9d66932 /configure.ac
parent24b446705b68a2d9ee859c1d06e417ac88a2a416 (diff)
set hardened compiler/linker flags by default
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac67
1 files changed, 63 insertions, 4 deletions
diff --git a/configure.ac b/configure.ac
index 6f55c71..5d792df 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,6 +19,7 @@ if test -z "$LD" ; then
fi
AC_SUBST(LD)
+# set compile flags prior to other tests
if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then
AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC)
CFLAGS="-Os -W -Wall -Wno-pointer-sign"
@@ -29,12 +30,70 @@ OLDCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fno-strict-overflow"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_RESULT(yes)],
- [
- AC_MSG_RESULT(no)
- CFLAGS=$OLDCFLAGS
- ]
+ [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
)
+hardenbuild=1
+AC_ARG_ENABLE(harden,
+ [ --disable-harden Don't set hardened build flags],
+ [
+ if test "x$enableval" = "xno"; then
+ hardenbuild=0
+ AC_MSG_NOTICE(Disabling hardened build flags)
+ fi
+ ], [])
+
+if test "$hardenbuild" -eq 1; then
+ AC_MSG_NOTICE(Checking for available hardened build flags:)
+ # pie
+ OLDCFLAGS="$CFLAGS"
+ TESTFLAGS="-fPIE"
+ CFLAGS="$CFLAGS $TESTFLAGS"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+ )
+ OLDLDFLAGS="$LDFLAGS"
+ TESTFLAGS="-Wl,-pie"
+ LDFLAGS="$LDFLAGS $TESTFLAGS"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+ )
+ # readonly elf relocation sections (relro)
+ OLDLDFLAGS="$LDFLAGS"
+ TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+ LDFLAGS="$LDFLAGS $TESTFLAGS"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+ )
+ # stack protector. -strong is good but only in gcc 4.9 or later
+ OLDCFLAGS="$CFLAGS"
+ TESTFLAGS="-fstack-protector-strong"
+ CFLAGS="$CFLAGS $TESTFLAGS"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [
+ CFLAGS="$OLDCFLAGS"
+ TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+ CFLAGS="$CFLAGS $TESTFLAGS"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+ )
+ ]
+ )
+ # FORTIFY_SOURCE
+ OLDCFLAGS="$CFLAGS"
+ TESTFLAGS="-D_FORTIFY_SOURCE=2"
+ CFLAGS="$CFLAGS $TESTFLAGS"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+ [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+ [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+ )
+fi
+
# large file support is useful for scp
AC_SYS_LARGEFILE