On 03/06/2015 02:13 AM, Stefan Jakob wrote:
David Jorm <[email protected]
<mailto:[email protected]>> schrieb am Mi., 04.03.2015, 8:54:
On 02/27/2015 08:55 PM, Marco d'Itri wrote:
> On Feb 27, David Jorm <[email protected]
<mailto:[email protected]>> wrote:
>
>> The attached patch adds security hardening compiler and linker
flags. These
>> flags are only applied if --enable-secflags is on, and I've made
>> --enable-secflags on by default. I totally understand if the
maintainers may
>> prefer for it to be off by default, at least initially.
> The warnings are OK, but while the hardening options actually
match what
> Debian uses, distributions tipically want to explicitly set them
> themselves using the defaults of their own build infrastructure
(because
> in the future they may want to do mass rebuilds with different
flags).
>
Thanks for the feedback, Marco. I was thinking that distributions
could
override these flags by setting --enable-secflags off if they
wanted to.
If that is insufficient, then I would have no problem re-spinning the
patch to set --enable-secflags off by default.
+1
Flags should be available but disabled by default at this state, imho,
ymmv
Thx for the patch David!
Rgds, Stefan
Thanks Stefan - a respun patch with enable-secflags disabled by default
is attached.
David
>From 0d7c025bb68e59fb3ec2ec5e25d15fb3e0668ec2 Mon Sep 17 00:00:00 2001
From: David Jorm <[email protected]>
Date: Fri, 27 Feb 2015 13:35:01 +1000
Subject: [PATCH] Added security hardening compiler and linker flags
Signed-off-by: David Jorm <[email protected]>
---
configure.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/configure.in b/configure.in
index c81709e..f46ab8c 100644
--- a/configure.in
+++ b/configure.in
@@ -6,6 +6,7 @@ AC_REVISION($Id$)
AC_INIT(conf/confbase.Y)
AC_CONFIG_AUX_DIR(tools)
+AC_ARG_ENABLE(secflags, [ --enable-secflags enable compiler flags to improve security (default: enabled)],,enable_secflags=no)
AC_ARG_ENABLE(debug, [ --enable-debug enable internal debugging routines (default: disabled)],,enable_debug=no)
AC_ARG_ENABLE(memcheck, [ --enable-memcheck check memory allocations when debugging (default: enabled)],,enable_memcheck=yes)
AC_ARG_ENABLE(client, [ --enable-client enable building of BIRD client (default: enabled)],,enable_client=yes)
@@ -119,6 +120,20 @@ if test "$bird_cflags_default" = yes ; then
BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing)
BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow)
fi
+
+if test "$enable_secflags" = yes ; then
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_wformat_security, -Wformat -Wformat-security -Werror=format-security)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fpie, -fPIE)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_fpie, -fPIE)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_fstack_protector_strong, -fstack-protector-strong)
+ BIRD_CHECK_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2)
+ BIRD_ADD_GCC_OPTION(bird_cv_c_option_dfortify_source, -D_FORTIFY_SOURCE=2)
+
+ LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack"
+fi
+
AC_MSG_CHECKING([CFLAGS])
AC_MSG_RESULT($CFLAGS)
--
2.1.0