1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
--- a/configure.ac
+++ b/configure.ac
@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
- # relocation flags don't make sense for static builds
- if test "$STATIC" -ne 1; then
- # pie
- DB_TRYADDCFLAGS([-fPIE])
-
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-pie"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- LDFLAGS="$OLDLDFLAGS"
- TESTFLAGS="-pie"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- ]
- )
- # readonly elf relocation sections (relro)
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- fi # non-static
- # stack protector. -strong is good but only in gcc 4.9 or later
- OLDCFLAGS="$CFLAGS"
- TESTFLAGS="-fstack-protector-strong"
- CFLAGS="$TESTFLAGS $CFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- CFLAGS="$OLDCFLAGS"
- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
- CFLAGS="$TESTFLAGS $CFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
- )
- ]
- )
- # FORTIFY_SOURCE
- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
-
# Spectre v2 mitigations
DB_TRYADDCFLAGS([-mfunction-return=thunk])
DB_TRYADDCFLAGS([-mindirect-branch=thunk])
|