From: Remi Gacogne Date: Wed, 4 Nov 2015 15:17:15 +0000 (+0100) Subject: Add the same hardening options to dnsdist. X-Git-Tag: dnsdist-1.0.0-alpha1~247^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2860%2Fhead;p=thirdparty%2Fpdns.git Add the same hardening options to dnsdist. PIE, full read-only relocation, stack and buffer overflow protections are present for pdns, add them to dnsdist as well. --- diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am index eba8d7af08..75c9b3b552 100644 --- a/pdns/dnsdistdist/Makefile.am +++ b/pdns/dnsdistdist/Makefile.am @@ -59,6 +59,7 @@ dnsdist_SOURCES = \ dnsdist_LDFLAGS = \ $(AM_LDFLAGS) \ + $(PROGRAM_LDFLAGS) \ -pthread dnsdist_LDADD = \ diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac index dd29738048..93b3b262a9 100644 --- a/pdns/dnsdistdist/configure.ac +++ b/pdns/dnsdistdist/configure.ac @@ -17,6 +17,31 @@ DNSDIST_LUA AX_CXX_COMPILE_STDCXX_11(ext,mandatory) AC_DEFINE([HAVE_MBEDTLS2], [1], [Defined if mbed TLS version 2.x.x is used]) +AC_MSG_CHECKING([whether we will enable compiler security checks]) +AC_ARG_ENABLE([hardening], + [AS_HELP_STRING([--disable-hardening],[disable compiler security checks @<:@default=no@:>@])], + [enable_hardening=$enableval], + [enable_hardening=yes] +) +AC_MSG_RESULT([$enable_hardening]) + +AS_IF([test "x$enable_hardening" != "xno"], [ + AC_CC_PIE + AC_CC_STACK_PROTECTOR + AC_CC_PARAM_SSP_BUFFER_SIZE([4]) + AC_CC_D_FORTIFY_SOURCE + AC_LD_RELRO +]) + +LDFLAGS="$RELRO_LDFLAGS $LDFLAGS" + +AS_IF([test "x$static" != "xyes"], [ + CFLAGS="$PIE_CFLAGS $CFLAGS" + CXXFLAGS="$PIE_CFLAGS $CXXFLAGS" + PROGRAM_LDFLAGS="$PIE_LDFLAGS $PROGRAM_LDFLAGS" +]) +AC_SUBST([PROGRAM_LDFLAGS]) + AC_CONFIG_FILES([Makefile ext/yahttp/Makefile ext/yahttp/yahttp/Makefile]) diff --git a/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 b/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 new file mode 120000 index 0000000000..8aa713e9a8 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_d_fortify_source.m4 @@ -0,0 +1 @@ +../../../m4/pdns_d_fortify_source.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 b/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 new file mode 120000 index 0000000000..4058fe2020 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_param_ssp_buffer_size.m4 @@ -0,0 +1 @@ +../../../m4/pdns_param_ssp_buffer_size.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_pie.m4 b/pdns/dnsdistdist/m4/pdns_pie.m4 new file mode 120000 index 0000000000..18120c0f53 --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_pie.m4 @@ -0,0 +1 @@ +../../../m4/pdns_pie.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_relro.m4 b/pdns/dnsdistdist/m4/pdns_relro.m4 new file mode 120000 index 0000000000..1f591df4ec --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_relro.m4 @@ -0,0 +1 @@ +../../../m4/pdns_relro.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/pdns_stack_protector.m4 b/pdns/dnsdistdist/m4/pdns_stack_protector.m4 new file mode 120000 index 0000000000..ba05f6618c --- /dev/null +++ b/pdns/dnsdistdist/m4/pdns_stack_protector.m4 @@ -0,0 +1 @@ +../../../m4/pdns_stack_protector.m4 \ No newline at end of file diff --git a/pdns/dnsdistdist/m4/warnings.m4 b/pdns/dnsdistdist/m4/warnings.m4 new file mode 120000 index 0000000000..ec2d33fa96 --- /dev/null +++ b/pdns/dnsdistdist/m4/warnings.m4 @@ -0,0 +1 @@ +../../../m4/warnings.m4 \ No newline at end of file