From a8add7421e674d5ca72f7759fba1201e2ff16b6f Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 13 Dec 2015 09:46:10 +0100 Subject: [PATCH] build: don't enable PIE by default PIE needs support from compiler, linker and dynamic linker. Even when everything seems in place, it can be unreliable. On many ARM toolchains, compiler and linker support is here but the dynamic linker doesn't know how to handle that. It is also reported that NetBSD/ppc or Solaris/x86 doesn't work correctly. Therefore, it is too difficult to detect proper support at configure time (notably with cross-compilation). Some OS (like OpenBSD, or Gentoo) come with automatic PIE support. No need to do anyhing special for them. People wanting to enable PIE should now use --enable-pie. --- NEWS | 2 ++ configure.ac | 7 +++++++ debian/rules | 2 +- redhat/lldpd.spec | 3 ++- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 0d2a8559..f641c8e1 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,8 @@ lldpd (0.8.0) + Change the numeric value for LLDP-MED policy L2 priority value for "Best effort" to 0 to match 802.1D-2004. * Change: + + PIE is now disabled by default. It's too difficult to reliably + detect if it works. Use --enable-pie to enable it. + Retrieve the permanent MAC address of an interface through ethtool for Linux if /proc/net/bonding is not available. + Running lldpd with "-d" will keep the process in foreground but diff --git a/configure.ac b/configure.ac index f4c0a64a..3e3461d4 100644 --- a/configure.ac +++ b/configure.ac @@ -96,12 +96,19 @@ AC_ARG_ENABLE([hardening], [Enable compiler and linker options to frustrate memory corruption exploits @<:@default=yes@:>@])], [hardening="$enableval"], [hardening="yes"]) +AC_ARG_ENABLE([pie], + [AS_HELP_STRING([--enable-pie], + [Enable PIE (position independant executable) @<:@default=no@:>@])], + [pie="$enableval"], + [pie="no"]) if test x"$hardening" != x"no"; then AX_CFLAGS_GCC_OPTION([-fstack-protector], [LLDP_CFLAGS]) AX_CFLAGS_GCC_OPTION([-fstack-protector-all], [LLDP_CFLAGS]) AX_CFLAGS_GCC_OPTION([-fstack-protector-strong], [LLDP_CFLAGS]) AX_CFLAGS_GCC_OPTION([-D_FORTIFY_SOURCE=2], [LLDP_CPPFLAGS]) +fi +if test x"$pie" = x"yes"; then AX_CFLAGS_GCC_OPTION([-fPIE], [LLDP_CFLAGS]) AX_LDFLAGS_OPTION([-fPIE -pie], [LLDP_BIN_LDFLAGS], [AX_LDFLAGS_OPTION([-fPIE -Wl,-pie], [LLDP_BIN_LDFLAGS])]) diff --git a/debian/rules b/debian/rules index 854c11fd..42a8ce02 100755 --- a/debian/rules +++ b/debian/rules @@ -4,5 +4,5 @@ include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/rules/autoreconf.mk include /usr/share/cdbs/1/class/autotools.mk -DEB_CONFIGURE_EXTRA_FLAGS = --with-snmp --with-xml --with-json +DEB_CONFIGURE_EXTRA_FLAGS = --with-snmp --with-xml --with-json --enable-pie DEB_CONFIGURE_EXTRA_FLAGS += --with-systemdsystemunitdir=/lib/systemd/system diff --git a/redhat/lldpd.spec b/redhat/lldpd.spec index 7690d967..9f317681 100644 --- a/redhat/lldpd.spec +++ b/redhat/lldpd.spec @@ -203,7 +203,8 @@ to adjacent network devices. --localstatedir=%{_localstatedir} \ --sysconfdir=%{_sysconfdir} \ --libdir=%{_libdir} \ - --docdir=%{_docdir}/lldpd + --docdir=%{_docdir}/lldpd \ + --enable-pie [ -f %{_includedir}/net-snmp/agent/struct.h ] || touch src/struct.h make %{?_smp_mflags} -- 2.39.5