aboutsummaryrefslogtreecommitdiff
path: root/m4/check-hardening-options.m4
diff options
context:
space:
mode:
Diffstat (limited to 'm4/check-hardening-options.m4')
-rw-r--r--m4/check-hardening-options.m4109
1 files changed, 109 insertions, 0 deletions
diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4
new file mode 100644
index 0000000..255038e
--- /dev/null
+++ b/m4/check-hardening-options.m4
@@ -0,0 +1,109 @@
1
2AC_DEFUN([CHECK_CFLAG], [
3 AC_LANG_ASSERT(C)
4 AC_MSG_CHECKING([if $saved_CC supports "$1"])
5 old_cflags="$CFLAGS"
6 CFLAGS="$1 -Wall -Werror"
7 AC_TRY_LINK([
8 #include <stdio.h>
9 ],
10 [printf("Hello")],
11 AC_MSG_RESULT([yes])
12 CFLAGS=$old_cflags
13 HARDEN_CFLAGS="$HARDEN_CFLAGS $1",
14 AC_MSG_RESULT([no])
15 CFLAGS=$old_cflags
16 [$2])
17])
18
19AC_DEFUN([CHECK_LDFLAG], [
20 AC_LANG_ASSERT(C)
21 AC_MSG_CHECKING([if $saved_LD supports "$1"])
22 old_ldflags="$LDFLAGS"
23 LDFLAGS="$1 -Wall -Werror"
24 AC_TRY_LINK([
25 #include <stdio.h>
26 ],
27 [printf("Hello")],
28 AC_MSG_RESULT([yes])
29 LDFLAGS=$old_ldflags
30 HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1",
31 AC_MSG_RESULT([no])
32 LDFLAGS=$old_ldflags
33 [$2])
34])
35
36AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK] [
37 save_cflags="$CFLAGS"
38 CFLAGS=
39 AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
40 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
41 __asm__(".section .note.GNU-stack,\"\",@progbits");]])],
42 [AC_MSG_RESULT([yes])]
43 [AM_CFLAGS=-DHAVE_GNU_STACK],
44 [AC_MSG_RESULT([no])]
45 )
46 CFLAGS="$save_cflags $AM_CFLAGS"
47])
48
49
50AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [
51
52 AC_ARG_ENABLE([hardening],
53 [AS_HELP_STRING([--disable-hardening],
54 [Disable options to frustrate memory corruption exploits])],
55 [], [enable_hardening=yes])
56
57 AC_ARG_ENABLE([windows-ssp],
58 [AS_HELP_STRING([--enable-windows-ssp],
59 [Enable building the stack smashing protection on
60 Windows. This currently distributing libssp-0.dll.])])
61
62 # We want to check for compiler flag support. Prior to clang v5.1, there was no
63 # way to make clang's "argument unused" warning fatal. So we invoke the
64 # compiler through a wrapper script that greps for this message.
65 saved_CC="$CC"
66 saved_LD="$LD"
67 flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
68 CC="$flag_wrap $CC"
69 LD="$flag_wrap $LD"
70
71 AS_IF([test "x$enable_hardening" = "xyes"], [
72 # Tell GCC to NOT optimize based on signed arithmetic overflow
73 CHECK_CFLAG([[-fno-strict-overflow]])
74
75 # _FORTIFY_SOURCE replaces builtin functions with safer versions.
76 CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]])
77
78 # Enable read only relocations
79 CHECK_LDFLAG([[-Wl,-z,relro]])
80 CHECK_LDFLAG([[-Wl,-z,now]])
81
82 # Windows security flags
83 AS_IF([test "x$HOST_OS" = "xwin"], [
84 CHECK_LDFLAG([[-Wl,--nxcompat]])
85 CHECK_LDFLAG([[-Wl,--dynamicbase]])
86 CHECK_LDFLAG([[-Wl,--high-entropy-va]])
87 ])
88
89 # Use stack-protector-strong if available; if not, fallback to
90 # stack-protector-all which is considered to be overkill
91 AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [
92 CHECK_CFLAG([[-fstack-protector-strong]],
93 CHECK_CFLAG([[-fstack-protector-all]],
94 AC_MSG_WARN([compiler does not appear to support stack protection])
95 )
96 )
97 AS_IF([test "x$HOST_OS" = "xwin"], [
98 AC_SEARCH_LIBS([__stack_chk_guard],[ssp])
99 ])
100 ])
101 ])
102
103 # Restore CC, LD
104 CC="$saved_CC"
105 LD="$saved_LD"
106
107 CFLAGS="$CFLAGS $HARDEN_CFLAGS"
108 LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS"
109])