INN commit: branches/2.6 (configure.ac doc/pod/news.pod)
INN Commit
rra at isc.org
Sun Nov 22 10:50:37 UTC 2020
Date: Sunday, November 22, 2020 @ 02:50:37
Author: iulius
Revision: 10421
Add support for hardening build flags
New --enable-hardening-flags option to configure, enabled by default.
It currently adds -fPIE, -fstack-protector-strong at build time, and
-z relro as well as -z now at link time. More flags will eventually
be added in future releases.
This option can easily be disabled if the compiler or the platform does
not support them well.
Modified:
branches/2.6/configure.ac
branches/2.6/doc/pod/news.pod
------------------+
configure.ac | 28 ++++++++++++++++++++++++++--
doc/pod/news.pod | 8 ++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
Modified: configure.ac
===================================================================
--- configure.ac 2020-11-22 10:49:50 UTC (rev 10420)
+++ configure.ac 2020-11-22 10:50:37 UTC (rev 10421)
@@ -308,7 +308,17 @@
CFLAGS="$CFLAGS -Kalloca"
fi
esac
-
+
+dnl Whether to add hardening flags to the build. Ideally, this should just
+dnl always be turned on wherever possible, but depending on the compiler and
+dnl the platform, it might be useful to easily remove them at configure time.
+inn_enable_hardening_flags=yes
+AC_ARG_ENABLE([hardening-flags],
+ [AS_HELP_STRING([--enable-hardening-flags],
+ [Add hardening build flags like -fPIE @<:@default=yes@:>@])],
+ [AS_IF([test x"$enableval" != xyes],
+ [inn_enable_hardening_flags=no])])
+
dnl Checks for pathnames. If AC_PROG_* does not manage to find a working
dnl program, INN_PATH_PROG_ENSURE will output an error.
AC_ARG_VAR([AWK], [Location of awk])
@@ -595,6 +605,20 @@
INN_SYS_UNIX_SOCKETS
INN_LOG_FACILITY
+dnl Add hardening build flags, if supported by the compiler.
+AS_IF([test x"$inn_enable_hardening_flags" = xyes],
+ [INN_PROG_CC_FLAG([-fPIE], [CFLAGS="${CFLAGS} -fPIE"
+ CC_WARNINGS="${CC_WARNINGS} -fPIE"
+ LDFLAGS="${LDFLAGS} -fPIE -pie"], [])
+ INN_PROG_CC_FLAG([-fstack-protector-strong],
+ [CFLAGS="${CFLAGS} -fstack-protector-strong"
+ CC_WARNINGS="${CC_WARNINGS} -fstack-protector-strong"],
+ [])
+ INN_PROG_CC_FLAG([-Wl,-z,relro],
+ [LDFLAGS="${LDFLAGS} -Wl,-z,relro"], [])
+ INN_PROG_CC_FLAG([-Wl,-z,now],
+ [LDFLAGS="${LDFLAGS} -Wl,-z,now"], [])])
+
dnl Clean up our LIBS, just for grins.
LIBS=`echo "$LIBS" | sed 's/^ *//' | sed 's/ */ /g' | sed 's/ *$//'`
@@ -619,7 +643,7 @@
dnl Print out some additional information on what to check.
cat <<EOM
-Please check the following files before running make, to ensure that
+Please check the following files before running make, to ensure that
everything was set correctly.
Makefile.global
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2020-11-22 10:49:50 UTC (rev 10420)
+++ doc/pod/news.pod 2020-11-22 10:50:37 UTC (rev 10421)
@@ -49,6 +49,14 @@
Added new B<-d> flag to B<rnews> to log via syslog the message-ID and the
Path header value of each article rejected as a duplicate.
+=item *
+
+Added new B<--enable-hardening-flags> configure-time option,
+enabled by default, to use hardening build flags like C<-fPIE> and
+C<-fstack-protector-strong>. This option can easily be disabled if the
+compiler or the platform does not support them well. More hardening
+build flags will eventually be added in future releases.
+
=back
=head1 Changes in 2.6.3
More information about the inn-committers
mailing list