Re: [Spice-devel] [PATCH spice-gtk 3/5] configure: Add an option for building the acl helper as PIE

[Hans de Goede]

Hi,

Marc-André, Christophe, thanks for the reviews!

Marc-André, Christophe reviewed my usb device selection widget patches,
but he wanted a second opinion before I push them, so could you
please take a look?

On 01/27/2012 07:08 PM, Christophe Fergeau wrote:

On Fri, Jan 27, 2012 at 04:58:56PM +0100, Hans de Goede wrote:

Josh Bressers has been so kind to review the usb-acl-helper for possible
security issues. One of his recomendations was to harden the usb-acl-helper
by building it as a Position Independent Executable.

Signed-off-by: Hans de Goede<hdego...@redhat.com>
---
  configure.ac    |   26 ++++++++++++++++++++++++++
  gtk/Makefile.am |    2 ++
  2 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2b73fc1..95819a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes"&&  test "x$have_polkit" != 
"xyes"; then
    AC_MSG_WARN([Building with usbredir support, but *not* building the usb acl 
helper])
  fi

+AC_ARG_ENABLE([pie],
+  AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@],
+                 [Enable position-independent-executable support (for the usb acl 
helper)@<:@default=auto@:>@]),
+  [],
+  [enable_pie="auto"])
+
+if test "x$have_polkit" = "xyes"&&  test "x$enable_pie" != "xno"; then
+   save_CFLAGS="$CFLAGS"
+   save_LDFLAGS="$LDFLAGS"
+   CFLAGS="$CFLAGS -fPIE"
+   LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
+   AC_MSG_CHECKING([for PIE support])
+   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])],
+                  [have_pie=yes],
+                  [have_pie=no])
+   AC_MSG_RESULT([$have_pie])
+   if test "x$have_pie" = "xyes"; then
+       PIE_CFLAGS="-fPIE"
+       PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+       AC_SUBST(PIE_CFLAGS)
+       AC_SUBST(PIE_LDFLAGS)

I'd add
else; if "x$enable_pie" = "xyes"; then AC_MSG_ERROR([pie requested but not
supported by the C compiler]); fi

otherwise yes/auto are the same.

Ah yes I already noticed that myself and I was planning on fixing it, but 
didn't.
I've fixed this before pushing.

Thanks & Regards,

Hans
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel