ACLOCAL_AMFLAGS='-I $(top_srcdir)/m4'
AC_SUBST(ACLOCAL_AMFLAGS)
+AC_ARG_ENABLE(hardening,
+AS_HELP_STRING([--disable-hardening=no], [Disable various hardenings (default: no)]),
+ disable_hardening=$enableval,
+ disable_hardening=no)
+
+AC_MSG_CHECKING([Whether to disable hardening])
+AC_MSG_RESULT([$disable_hardening])
+
AC_ARG_ENABLE(devel-checks,
AS_HELP_STRING([--enable-devel-checks], [Enable some extra expensive checks for developers]),
if test x$enableval = xyes; then
sys/utsname.h glob.h linux/falloc.h ucred.h sys/ucred.h)
CC_CLANG
+AC_CC_PIE
+AC_CC_F_STACK_PROTECTOR
+AC_CC_D_FORTIFY_SOURCE
+AC_LD_RELRO
DOVECOT_CFLAGS
AC_DEFINE_UNQUOTED(CAPABILITY_BANNER_STRING, "$capability_banner", [IMAP capabilities advertised in banner])
CFLAGS="$CFLAGS $EXTRA_CFLAGS"
+BINARY_LDFLAGS="$PIE_LDFLAGS $RELRO_LDFLAGS"
+BINARY_CFLAGS="$PIE_CFLAGS"
+
+AC_SUBST(BINARY_CFLAGS)
+AC_SUBST(BINARY_LDFLAGS)
+
NOPLUGIN_LDFLAGS="-no-undefined"
if test "$with_gnu_ld" = yes; then
NOPLUGIN_LDFLAGS="$NOPLUGIN_LDFLAGS -Wl,--as-needed"
DOVECOT_SSL_LIBS="@SSL_LIBS@"
DOVECOT_SQL_LIBS="@SQL_LIBS@"
DOVECOT_COMPRESS_LIBS="@COMPRESS_LIBS@"
+DOVECOT_BINARY_CFLAGS="@BINARY_CFLAGS@"
+DOVECOT_BINARY_LDFLAGS="@BINARY_LDFLAGS@"
LIBDOVECOT="@LIBDOVECOT@"
LIBDOVECOT_LOGIN="@LIBDOVECOT_LOGIN@ @SSL_LIBS@"
--- /dev/null
+dnl
+dnl Check for support for D_FORTIFY_SOURCE=2
+dnl
+
+AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+ AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+ if test $disable_hardening = no; then
+ case "$host" in
+ *)
+ gl_COMPILER_OPTION_IF([-O2 -D_FORTIFY_SOURCE=2], [
+ CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+ ],
+ [],
+ [AC_LANG_PROGRAM([[
+ #include <pthread.h>
+ __thread unsigned int t_id;
+ ]], [[t_id = 1;]])]
+ )
+ esac
+ fi
+])
--- /dev/null
+dnl
+dnl Check for support for position independent executables
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library. If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([AC_CC_PIE],[
+ AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+ PIE_CFLAGS=
+ PIE_LDFLAGS=
+
+ if test $disable_hardening = no; then
+ OLD_CFLAGS=$CFLAGS
+ case "$host" in
+ *-*-mingw* | *-*-msvc* | *-*-cygwin* )
+ ;; dnl All code is position independent on Win32 target
+ *)
+ CFLAGS="-fPIE -DPIE"
+ gl_COMPILER_OPTION_IF([-pie], [
+ PIE_CFLAGS="-fPIE -DPIE"
+ PIE_LDFLAGS="-pie"
+ ], [
+ dnl some versions of clang require -Wl,-pie instead of -pie
+ gl_COMPILER_OPTION_IF([[-Wl,-pie]], [
+ PIE_CFLAGS="-fPIE -DPIE"
+ PIE_LDFLAGS="-Wl,-pie"
+ ], [AC_MSG_RESULT([not supported])],
+ [AC_LANG_PROGRAM([[
+ #include <pthread.h>
+ __thread unsigned int t_id;
+ ]], [[t_id = 1;]])]
+ )
+ ],
+ [AC_LANG_PROGRAM([[
+ #include <pthread.h>
+ __thread unsigned int t_id;
+ ]], [[t_id = 1;]])]
+ )
+ esac
+ CFLAGS=$OLD_CFLAGS
+ fi
+ AC_SUBST([PIE_CFLAGS])
+ AC_SUBST([PIE_LDFLAGS])
+])
--- /dev/null
+dnl
+dnl Check for support for -fstack-protector or -strong
+dnl
+
+AC_DEFUN([AC_CC_F_STACK_PROTECTOR],[
+ AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+ if test $disable_hardening = no; then
+ case "$host" in
+ *)
+ gl_COMPILER_OPTION_IF([-fstack-protector-strong], [
+ CFLAGS="$CFLAGS -fstack-protector-strong"
+ ],
+ [
+ gl_COMPILER_OPTION_IF([-fstack-protector], [
+ CFLAGS="$CFLAGS -fstack-protector"
+ ], [], [AC_LANG_PROGRAM([[
+ #include <pthread.h>
+ __thread unsigned int t_id;
+ ]], [[t_id = 1;]])])
+ ],
+ [AC_LANG_PROGRAM([[
+ #include <pthread.h>
+ __thread unsigned int t_id;
+ ]], [[t_id = 1;]])]
+ )
+ esac
+ fi
+])
--- /dev/null
+dnl
+dnl Check for -z now and -z relro linker flags
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library. If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([AC_LD_RELRO],[
+ RELRO_LDFLAGS=
+ if test $disable_hardening = no; then
+ AC_MSG_CHECKING([for how to force completely read-only GOT table])
+ ld_help=`$CXX -Wl,-help 2>&1`
+ case $ld_help in
+ *"-z relro"*) RELRO_LDFLAGS="-Wl,-z -Wl,relro" ;;
+ esac
+ case $ld_help in
+ *"-z now"*) RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now" ;;
+ esac
+ AS_IF([test "x$RELRO_LDFLAGS" != "x"],
+ [AC_MSG_RESULT([$RELRO_LDFLAGS])],
+ [AC_MSG_RESULT([unknown])]
+ )
+ fi
+ AC_SUBST([RELRO_LDFLAGS])
+])
projects / thirdparty / dovecot / core.git / commitdiff
