diff options
Diffstat (limited to 'm4/check-hardening-options.m4')
-rw-r--r-- | m4/check-hardening-options.m4 | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4 new file mode 100644 index 0000000..3ffdb1a --- /dev/null +++ b/m4/check-hardening-options.m4 @@ -0,0 +1,109 @@ + +AC_DEFUN([CHECK_CFLAG], [ + AC_LANG_ASSERT(C) + AC_MSG_CHECKING([if $saved_CC supports "$1"]) + old_cflags="$CFLAGS" + CFLAGS="$1 -Wall -Werror" + AC_TRY_LINK([ + #include <stdio.h> + ], + [printf("Hello")], + AC_MSG_RESULT([yes]) + CFLAGS=$old_cflags + HARDEN_CFLAGS="$HARDEN_CFLAGS $1", + AC_MSG_RESULT([no]) + CFLAGS=$old_cflags + [$2]) +]) + +AC_DEFUN([CHECK_LDFLAG], [ + AC_LANG_ASSERT(C) + AC_MSG_CHECKING([if $saved_LD supports "$1"]) + old_ldflags="$LDFLAGS" + LDFLAGS="$1 -Wall -Werror" + AC_TRY_LINK([ + #include <stdio.h> + ], + [printf("Hello")], + AC_MSG_RESULT([yes]) + LDFLAGS=$old_ldflags + HARDEN_LDFLAGS="$HARDEN_LDFLAGS $1", + AC_MSG_RESULT([no]) + LDFLAGS=$old_ldflags + [$2]) +]) + +AC_DEFUN([DISABLE_AS_EXECUTABLE_STACK], [ + save_cflags="$CFLAGS" + CFLAGS= + AC_MSG_CHECKING([whether AS supports .note.GNU-stack]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + __asm__(".section .note.GNU-stack,\"\",@progbits");]])], + [AC_MSG_RESULT([yes])] + [AM_CFLAGS=-DHAVE_GNU_STACK], + [AC_MSG_RESULT([no])] + ) + CFLAGS="$save_cflags $AM_CFLAGS" +]) + + +AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [ + + AC_ARG_ENABLE([hardening], + [AS_HELP_STRING([--disable-hardening], + [Disable options to frustrate memory corruption exploits])], + [], [enable_hardening=yes]) + + AC_ARG_ENABLE([windows-ssp], + [AS_HELP_STRING([--enable-windows-ssp], + [Enable building the stack smashing protection on + Windows. This currently distributing libssp-0.dll.])]) + + # We want to check for compiler flag support. Prior to clang v5.1, there was no + # way to make clang's "argument unused" warning fatal. So we invoke the + # compiler through a wrapper script that greps for this message. + saved_CC="$CC" + saved_LD="$LD" + flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check" + CC="$flag_wrap $CC" + LD="$flag_wrap $LD" + + AS_IF([test "x$enable_hardening" = "xyes"], [ + # Tell GCC to NOT optimize based on signed arithmetic overflow + CHECK_CFLAG([[-fno-strict-overflow]]) + + # _FORTIFY_SOURCE replaces builtin functions with safer versions. + CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]]) + + # Enable read only relocations + CHECK_LDFLAG([[-Wl,-z,relro]]) + CHECK_LDFLAG([[-Wl,-z,now]]) + + # Windows security flags + AS_IF([test "x$HOST_OS" = "xwin"], [ + CHECK_LDFLAG([[-Wl,--nxcompat]]) + CHECK_LDFLAG([[-Wl,--dynamicbase]]) + CHECK_LDFLAG([[-Wl,--high-entropy-va]]) + ]) + + # Use stack-protector-strong if available; if not, fallback to + # stack-protector-all which is considered to be overkill + AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [ + CHECK_CFLAG([[-fstack-protector-strong]], + CHECK_CFLAG([[-fstack-protector-all]], + AC_MSG_WARN([compiler does not appear to support stack protection]) + ) + ) + AS_IF([test "x$HOST_OS" = "xwin"], [ + AC_SEARCH_LIBS([__stack_chk_guard],[ssp]) + ]) + ]) + ]) + + # Restore CC, LD + CC="$saved_CC" + LD="$saved_LD" + + CFLAGS="$CFLAGS $HARDEN_CFLAGS" + LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS" +]) |