>From 0d7c025bb68e59fb3ec2ec5e25d15fb3e0668ec2 Mon Sep 17 00:00:00 2001 From: David Jorm Date: Fri, 27 Feb 2015 13:35:01 +1000 Subject: [PATCH] Added security hardening compiler and linker flags Signed-off-by: David Jorm --- configure.in | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/configure.in b/configure.in index c81709e..f46ab8c 100644 --- a/configure.in +++ b/configure.in @@ -6,6 +6,7 @@ AC_REVISION($Id$) AC_INIT(conf/confbase.Y) AC_CONFIG_AUX_DIR(tools) +AC_ARG_ENABLE(secflags, [ --enable-secflags enable compiler flags to improve security (default: enabled)],,enable_secflags=yes) AC_ARG_ENABLE(debug, [ --enable-debug enable internal debugging routines (default: disabled)],,enable_debug=no) AC_ARG_ENABLE(memcheck, [ --enable-memcheck check memory allocations when debugging (default: enabled)],,enable_memcheck=yes) AC_ARG_ENABLE(client, [ --enable-client enable building of BIRD client (default: enabled)],,enable_client=yes) @@ -119,6 +120,20 @@ if test "$bird_cflags_default" = yes ; then BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing) BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow) fi + +if test "$enable_secflags" = yes ; then + BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security) + BIRD_ADD_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security) + BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fpie, -fPIE) + BIRD_ADD_GCC_OPTION(bird_cv_c_option_fpie, -fPIE) + BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong) + BIRD_ADD_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong) + BIRD_CHECK_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2) + BIRD_ADD_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2) + + LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack" +fi + AC_MSG_CHECKING([CFLAGS]) AC_MSG_RESULT($CFLAGS) -- 2.1.0