chiark / gitweb /
build-sys: enable a couple of security features
authorLennart Poettering <lennart@poettering.net>
Wed, 8 Aug 2012 10:03:34 +0000 (12:03 +0200)
committerLennart Poettering <lennart@poettering.net>
Wed, 8 Aug 2012 10:03:34 +0000 (12:03 +0200)
Most distributions enable these downstream anyway, but it probably makes
sense to enable them unconditionally upstream too.

Makefile.am
autogen.sh
configure.ac

index b1a8cc1..6963722 100644 (file)
@@ -148,10 +148,11 @@ AM_CPPFLAGS = \
        -I $(top_builddir)/src/core \
        -I $(top_srcdir)/src/core \
        -I $(top_srcdir)/src/libudev \
-       -I $(top_srcdir)/src/udev
+       -I $(top_srcdir)/src/udev \
+       $(OUR_CPPFLAGS)
 
-AM_CFLAGS = $(WARNINGFLAGS)
-AM_LDFLAGS = $(GCLDFLAGS)
+AM_CFLAGS = $(OUR_GFLAGS)
+AM_LDFLAGS = $(OUR_LDFLAGS)
 
 # ------------------------------------------------------------------------------
 if TARGET_GENTOO
index 33d8fcd..86fe9b3 100755 (executable)
@@ -54,7 +54,7 @@ args="$args \
 fi
 
 if [ "x$1" = "xc" ]; then
-        ./configure CFLAGS='-g -O0 -Wp,-U_FORTIFY_SOURCE' $args
+        ./configure CFLAGS='-g -O0' $args
         make clean
 else
         echo
@@ -62,6 +62,6 @@ else
         echo "Initialized build system. For a common configuration please run:"
         echo "----------------------------------------------------------------"
         echo
-        echo "./configure CFLAGS='-g -O0 -Wp,-U_FORTIFY_SOURCE' $args"
+        echo "./configure CFLAGS='-g -O0' $args"
         echo
 fi
index 5145298..d6a1583 100644 (file)
@@ -117,20 +117,26 @@ CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\
         -Wno-missing-field-initializers \
         -Wno-unused-result \
         -Werror=overflow \
-        -Wp,-D_FORTIFY_SOURCE=2 \
         -ffast-math \
         -fno-common \
         -fdiagnostics-show-option \
         -fno-strict-aliasing \
         -fvisibility=hidden \
         -ffunction-sections \
-        -fdata-sections])
-AC_SUBST([WARNINGFLAGS], $with_cflags)
+        -fdata-sections \
+        -fstack-protector])
+AC_SUBST([OUR_CFLAGS], $with_cflags)
+
+CC_CHECK_FLAGS_APPEND([with_cppflags], [CPPFLAGS], [\
+        -Wp,-D_FORTIFY_SOURCE=2])
+AC_SUBST([OUR_CPPFLAGS], $with_cppflags)
 
 CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\
         -Wl,--as-needed \
-        -Wl,--gc-sections])
-AC_SUBST([GCLDFLAGS], $with_ldflags)
+        -Wl,--gc-sections \
+        -Wl,-z,relro \
+        -Wl,-z,now])
+AC_SUBST([OUR_LDFLAGS], $with_ldflags)
 
 AC_SEARCH_LIBS([clock_gettime], [rt], [], [AC_MSG_ERROR([*** POSIX RT library not found])])
 AC_SEARCH_LIBS([dlsym], [dl], [], [AC_MSG_ERROR([*** Dynamic linking loader library not found])])
@@ -753,7 +759,7 @@ AC_MSG_RESULT([
         Split /usr:              ${enable_split_usr}
         man pages:               ${have_manpages}
 
-        CFLAGS:                  ${CFLAGS}
-        CPPLAGS:                 ${CPPFLAGS}
-        LDFLAGS:                 ${LDFLAGS}
+        CFLAGS:                  ${OUR_CFLAGS} ${CFLAGS}
+        CPPLAGS:                 ${OUR_CPPFLAGS} ${CPPFLAGS}
+        LDFLAGS:                 ${OUR_LDFLAGS} ${LDFLAGS}
 ])