Repository: trafficserver Updated Branches: refs/heads/master 9bf5beb36 -> 099ac19f5
TS-3938: Add hardening (fortify) as an option to configure This closes #497. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/099ac19f Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/099ac19f Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/099ac19f Branch: refs/heads/master Commit: 099ac19f5fecc12999a7648790cb611704989e85 Parents: 9bf5beb Author: Bryan Call <[email protected]> Authored: Tue Feb 23 16:04:57 2016 -0800 Committer: James Peach <[email protected]> Committed: Fri Feb 26 12:53:20 2016 -0800 ---------------------------------------------------------------------- configure.ac | 21 +++++++++++++++++++++ tools/Makefile.am | 2 ++ 2 files changed, 23 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/099ac19f/configure.ac ---------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index e49ae14..b9981a6 100644 --- a/configure.ac +++ b/configure.ac @@ -321,6 +321,17 @@ AC_ARG_ENABLE([ccache], AC_MSG_RESULT([$enable_ccache]) # +# Enble hardening of the executables +# +AC_MSG_CHECKING([whether to enable hardening of the executables]) +AC_ARG_ENABLE([hardening], + [AS_HELP_STRING([--enable-hardening],[Enable hardening of executables])], + [], + [enable_hardening="no"] +) +AC_MSG_RESULT([$enable_hardening]) + +# # Use TPROXY for connection transparency. # AC_MSG_CHECKING([whether to enable TPROXY based transparency]) @@ -1027,6 +1038,16 @@ TS_ADDTO(CPPFLAGS, [-D__STDC_FORMAT_MACROS=1]) AC_MSG_NOTICE([Build for host OS: $host_os, arch: $host_cpu, optimization: $host_os_def]) +# Add hardening options to flags +AS_IF([test "x${enable_hardening}" = "xyes"], [ + TS_ADDTO(CPPFLAGS, [-D_FORTIFY_SOURCE=2]) + TS_ADDTO(CXXFLAGS, [-fPIE -fstack-protector]) + TS_ADDTO(CFLAGS, [-fPIE -fstack-protector]) + AS_CASE("$host_os_def", + [linux], [TS_ADDTO(LDFLAGS, [-pie -Wl,-z,relro -Wl,-z,now])] + ) +]) + # # Note: These are site-specific macro's that do various tests # on the selected compilers. There was some tunning http://git-wip-us.apache.org/repos/asf/trafficserver/blob/099ac19f/tools/Makefile.am ---------------------------------------------------------------------- diff --git a/tools/Makefile.am b/tools/Makefile.am index 1c28af6..b8eae5b 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -53,3 +53,5 @@ http_load_http_load_SOURCES = \ endif +all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(DATA) + sed -i "s/ -fPIE//" tsxs
