From 5a45a93627609451784a04366cfa1150d32611d1 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 Aug 2012 12:03:34 +0200
Subject: [PATCH] build-sys: enable a couple of security features

Most distributions enable these downstream anyway, but it probably makes
sense to enable them unconditionally upstream too.
---
 Makefile.am  |  7 ++++---
 autogen.sh   |  4 ++--
 configure.ac | 22 ++++++++++++++--------
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index b1a8cc199..696372246 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -148,10 +148,11 @@ AM_CPPFLAGS = \
 	-I $(top_builddir)/src/core \
 	-I $(top_srcdir)/src/core \
 	-I $(top_srcdir)/src/libudev \
-	-I $(top_srcdir)/src/udev
+	-I $(top_srcdir)/src/udev \
+	$(OUR_CPPFLAGS)
 
-AM_CFLAGS = $(WARNINGFLAGS)
-AM_LDFLAGS = $(GCLDFLAGS)
+AM_CFLAGS = $(OUR_GFLAGS)
+AM_LDFLAGS = $(OUR_LDFLAGS)
 
 # ------------------------------------------------------------------------------
 if TARGET_GENTOO
diff --git a/autogen.sh b/autogen.sh
index 33d8fcda2..86fe9b378 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -54,7 +54,7 @@ args="$args \
 fi
 
 if [ "x$1" = "xc" ]; then
-        ./configure CFLAGS='-g -O0 -Wp,-U_FORTIFY_SOURCE' $args
+        ./configure CFLAGS='-g -O0' $args
         make clean
 else
         echo
@@ -62,6 +62,6 @@ else
         echo "Initialized build system. For a common configuration please run:"
         echo "----------------------------------------------------------------"
         echo
-        echo "./configure CFLAGS='-g -O0 -Wp,-U_FORTIFY_SOURCE' $args"
+        echo "./configure CFLAGS='-g -O0' $args"
         echo
 fi
diff --git a/configure.ac b/configure.ac
index 514529820..d6a158396 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,20 +117,26 @@ CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\
         -Wno-missing-field-initializers \
         -Wno-unused-result \
         -Werror=overflow \
-        -Wp,-D_FORTIFY_SOURCE=2 \
         -ffast-math \
         -fno-common \
         -fdiagnostics-show-option \
         -fno-strict-aliasing \
         -fvisibility=hidden \
         -ffunction-sections \
-        -fdata-sections])
-AC_SUBST([WARNINGFLAGS], $with_cflags)
+        -fdata-sections \
+        -fstack-protector])
+AC_SUBST([OUR_CFLAGS], $with_cflags)
+
+CC_CHECK_FLAGS_APPEND([with_cppflags], [CPPFLAGS], [\
+        -Wp,-D_FORTIFY_SOURCE=2])
+AC_SUBST([OUR_CPPFLAGS], $with_cppflags)
 
 CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\
         -Wl,--as-needed \
-        -Wl,--gc-sections])
-AC_SUBST([GCLDFLAGS], $with_ldflags)
+        -Wl,--gc-sections \
+        -Wl,-z,relro \
+        -Wl,-z,now])
+AC_SUBST([OUR_LDFLAGS], $with_ldflags)
 
 AC_SEARCH_LIBS([clock_gettime], [rt], [], [AC_MSG_ERROR([*** POSIX RT library not found])])
 AC_SEARCH_LIBS([dlsym], [dl], [], [AC_MSG_ERROR([*** Dynamic linking loader library not found])])
@@ -753,7 +759,7 @@ AC_MSG_RESULT([
         Split /usr:              ${enable_split_usr}
         man pages:               ${have_manpages}
 
-        CFLAGS:                  ${CFLAGS}
-        CPPLAGS:                 ${CPPFLAGS}
-        LDFLAGS:                 ${LDFLAGS}
+        CFLAGS:                  ${OUR_CFLAGS} ${CFLAGS}
+        CPPLAGS:                 ${OUR_CPPFLAGS} ${CPPFLAGS}
+        LDFLAGS:                 ${OUR_LDFLAGS} ${LDFLAGS}
 ])
-- 
2.30.2