added --enable-gccprotect to optionally detect and enable compile time protections

16 years ago · 98b9009b24
parent 746d12071e
commit 98b9009b24
1 changed files with 57 additions and 0 deletions
--- a/configure.in
+++ b/configure.in
@ -55,7 +55,64 @@ AC_INIT(configure.in)
    AC_FUNC_REALLOC
    AC_CHECK_FUNCS([gettimeofday memset strcasecmp strchr strdup strerror strncasecmp strtol strtoul])

+#Enable support for gcc compile time security options. There is no great way to do detection of valid cflags that I have found
+#AX_CFLAGS_GCC_OPTION don't seem to do a better job than the code below and are a pain because of extra m4 files etc.
+#These flags seem to be supported on CentOS 5+, Ubuntu 8.04+, and FedoreCore 11+
+#Options are taken from https://wiki.ubuntu.com/CompilerFlags
+    AC_ARG_ENABLE(gccprotect,
+            [  --enable-gccprotect  Detect and use gcc hardening options],
+            [ enable_gccprotect=yes
+            ])

+    if test "$enable_gccprotect" = "yes"; then
+        #buffer overflow protection
+        AC_MSG_CHECKING(for -fstack-protector)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -fstack-protector"
+        AC_TRY_LINK(,,SECCFLAGS="${SECCFLAGS} -fstack-protector"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #compile-time best-practices errors for certain libc functions, provides checks of buffer lengths and memory regions
+        AC_MSG_CHECKING(for -D_FORTIFY_SOURCE=2)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+        AC_TRY_COMPILE(,,SECCFLAGS="${SECCFLAGS} -D_FORTIFY_SOURCE=2"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #compile-time warnings about misuse of format strings
+        AC_MSG_CHECKING(for -Wformat -Wformat-security)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -Wformat -Wformat-security"
+        AC_TRY_COMPILE(,,SECCFLAGS="${SECCFLAGS} -Wformat -Wformat-security"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #provides a read-only relocation table area in the final ELF
+        AC_MSG_CHECKING(for -z relro)
+        TMPLDFLAGS="${LDFLAGS}"
+        LDFLAGS="${LDFLAGS} -z relro"
+        AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z relro"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        LDFLAGS="${TMPLDFLAGS}"
+
+        #forces all relocations to be resolved at run-time
+        AC_MSG_CHECKING(for -z now)
+        TMPLDFLAGS="${LDFLAGS}"
+        LDFLAGS="${LDFLAGS} -z now"
+        AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z now"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        LDFLAGS="${TMPLDFLAGS}"
+
+        CFLAGS="${CFLAGS} ${SECCFLAGS}"
+        LDFLAGS="${LDFLAGS} ${SECLDFLAGS}"
+    fi
 #libpcre
    AC_ARG_WITH(libpcre_includes,
            [  --with-libpcre-includes=DIR  libpcre include directory],