From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 19 Apr 2016 11:52:56 +0000 (+0300)
Subject: configure: Check for hardening flags
X-Git-Tag: 2.3.0.rc1~3322
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=14a7cd46677cc0052319f2cd84a7b720efa60499;p=thirdparty%2Fdovecot%2Fcore.git

configure: Check for hardening flags
---

diff --git a/configure.ac b/configure.ac
index f7de2ffaf4..0621487945 100644
--- a/configure.ac
+++ b/configure.ac
@@ -16,6 +16,14 @@ PKG_PROG_PKG_CONFIG
 ACLOCAL_AMFLAGS='-I $(top_srcdir)/m4'
 AC_SUBST(ACLOCAL_AMFLAGS)
 
+AC_ARG_ENABLE(hardening,
+AS_HELP_STRING([--disable-hardening=no], [Disable various hardenings (default: no)]),
+        disable_hardening=$enableval,
+        disable_hardening=no)
+
+AC_MSG_CHECKING([Whether to disable hardening])
+AC_MSG_RESULT([$disable_hardening])
+
 AC_ARG_ENABLE(devel-checks,
 AS_HELP_STRING([--enable-devel-checks], [Enable some extra expensive checks for developers]),
 	if test x$enableval = xyes; then
@@ -316,6 +324,10 @@ AC_CHECK_HEADERS(strings.h stdint.h unistd.h dirent.h malloc.h inttypes.h \
   sys/utsname.h glob.h linux/falloc.h ucred.h sys/ucred.h)
 
 CC_CLANG
+AC_CC_PIE
+AC_CC_F_STACK_PROTECTOR
+AC_CC_D_FORTIFY_SOURCE
+AC_LD_RELRO
 
 DOVECOT_CFLAGS
 
@@ -785,6 +797,12 @@ AC_DEFINE_UNQUOTED(CAPABILITY_STRING, "$capability", [IMAP capabilities])
 AC_DEFINE_UNQUOTED(CAPABILITY_BANNER_STRING, "$capability_banner", [IMAP capabilities advertised in banner])
 
 CFLAGS="$CFLAGS $EXTRA_CFLAGS"
+BINARY_LDFLAGS="$PIE_LDFLAGS $RELRO_LDFLAGS"
+BINARY_CFLAGS="$PIE_CFLAGS"
+
+AC_SUBST(BINARY_CFLAGS)
+AC_SUBST(BINARY_LDFLAGS)
+
 NOPLUGIN_LDFLAGS="-no-undefined"
 if test "$with_gnu_ld" = yes; then
   NOPLUGIN_LDFLAGS="$NOPLUGIN_LDFLAGS -Wl,--as-needed"
diff --git a/dovecot-config.in.in b/dovecot-config.in.in
index f776c387cf..662c72f4e3 100644
--- a/dovecot-config.in.in
+++ b/dovecot-config.in.in
@@ -3,6 +3,8 @@ DOVECOT_LIBS="@LIBS@"
 DOVECOT_SSL_LIBS="@SSL_LIBS@"
 DOVECOT_SQL_LIBS="@SQL_LIBS@"
 DOVECOT_COMPRESS_LIBS="@COMPRESS_LIBS@"
+DOVECOT_BINARY_CFLAGS="@BINARY_CFLAGS@"
+DOVECOT_BINARY_LDFLAGS="@BINARY_LDFLAGS@"
 
 LIBDOVECOT="@LIBDOVECOT@"
 LIBDOVECOT_LOGIN="@LIBDOVECOT_LOGIN@ @SSL_LIBS@"
diff --git a/m4/cc_fortify.m4 b/m4/cc_fortify.m4
new file mode 100644
index 0000000000..e7c1b428fb
--- /dev/null
+++ b/m4/cc_fortify.m4
@@ -0,0 +1,21 @@
+dnl
+dnl Check for support for D_FORTIFY_SOURCE=2
+dnl
+
+AC_DEFUN([AC_CC_D_FORTIFY_SOURCE],[
+    AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+    if test $disable_hardening = no; then
+      case "$host" in
+        *)
+          gl_COMPILER_OPTION_IF([-O2 -D_FORTIFY_SOURCE=2], [
+            CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+            ],
+            [],
+            [AC_LANG_PROGRAM([[
+  #include <pthread.h>
+  __thread unsigned int t_id;
+              ]], [[t_id = 1;]])]
+          )
+      esac
+    fi
+])
diff --git a/m4/cc_pie.m4 b/m4/cc_pie.m4
new file mode 100644
index 0000000000..46b99214e1
--- /dev/null
+++ b/m4/cc_pie.m4
@@ -0,0 +1,58 @@
+dnl
+dnl Check for support for position independent executables
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([AC_CC_PIE],[
+    AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+    PIE_CFLAGS=
+    PIE_LDFLAGS=
+
+    if test $disable_hardening = no; then
+      OLD_CFLAGS=$CFLAGS
+      case "$host" in
+        *-*-mingw* | *-*-msvc* | *-*-cygwin* )
+           ;; dnl All code is position independent on Win32 target
+        *)
+          CFLAGS="-fPIE -DPIE"
+          gl_COMPILER_OPTION_IF([-pie], [
+            PIE_CFLAGS="-fPIE -DPIE"
+            PIE_LDFLAGS="-pie"
+            ], [
+              dnl some versions of clang require -Wl,-pie instead of -pie
+              gl_COMPILER_OPTION_IF([[-Wl,-pie]], [
+                PIE_CFLAGS="-fPIE -DPIE"
+                PIE_LDFLAGS="-Wl,-pie"
+                ], [AC_MSG_RESULT([not supported])],
+                [AC_LANG_PROGRAM([[
+  #include <pthread.h>
+  __thread unsigned int t_id;
+                  ]], [[t_id = 1;]])]
+              )
+            ],
+            [AC_LANG_PROGRAM([[
+  #include <pthread.h>
+  __thread unsigned int t_id;
+              ]], [[t_id = 1;]])]
+          )
+      esac
+      CFLAGS=$OLD_CFLAGS
+    fi
+    AC_SUBST([PIE_CFLAGS])
+    AC_SUBST([PIE_LDFLAGS])
+])
diff --git a/m4/cc_stack_protector.m4 b/m4/cc_stack_protector.m4
new file mode 100644
index 0000000000..93f06b055e
--- /dev/null
+++ b/m4/cc_stack_protector.m4
@@ -0,0 +1,28 @@
+dnl
+dnl Check for support for -fstack-protector or -strong
+dnl
+
+AC_DEFUN([AC_CC_F_STACK_PROTECTOR],[
+    AC_REQUIRE([gl_UNKNOWN_WARNINGS_ARE_ERRORS])
+    if test $disable_hardening = no; then
+      case "$host" in
+        *)
+          gl_COMPILER_OPTION_IF([-fstack-protector-strong], [
+            CFLAGS="$CFLAGS -fstack-protector-strong"
+            ],
+            [
+               gl_COMPILER_OPTION_IF([-fstack-protector], [
+                 CFLAGS="$CFLAGS -fstack-protector"
+                 ], [], [AC_LANG_PROGRAM([[
+  #include <pthread.h>
+  __thread unsigned int t_id;
+              ]], [[t_id = 1;]])])
+            ],
+            [AC_LANG_PROGRAM([[
+  #include <pthread.h>
+  __thread unsigned int t_id;
+              ]], [[t_id = 1;]])]
+          )
+      esac
+    fi
+])
diff --git a/m4/ld_relro.m4 b/m4/ld_relro.m4
new file mode 100644
index 0000000000..18938612c3
--- /dev/null
+++ b/m4/ld_relro.m4
@@ -0,0 +1,38 @@
+dnl
+dnl Check for -z now and -z relro linker flags
+dnl
+dnl Copyright (C) 2013 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library.  If not, see
+dnl <http://www.gnu.org/licenses/>.
+dnl
+
+AC_DEFUN([AC_LD_RELRO],[
+    RELRO_LDFLAGS=
+    if test $disable_hardening = no; then
+      AC_MSG_CHECKING([for how to force completely read-only GOT table])
+      ld_help=`$CXX -Wl,-help 2>&1`
+      case $ld_help in
+          *"-z relro"*) RELRO_LDFLAGS="-Wl,-z -Wl,relro" ;;
+      esac
+      case $ld_help in
+          *"-z now"*) RELRO_LDFLAGS="$RELRO_LDFLAGS -Wl,-z -Wl,now" ;;
+      esac
+      AS_IF([test "x$RELRO_LDFLAGS" != "x"],
+        [AC_MSG_RESULT([$RELRO_LDFLAGS])],
+        [AC_MSG_RESULT([unknown])]
+      )
+   fi
+   AC_SUBST([RELRO_LDFLAGS])
+])