build: don't enable PIE by default

PIE needs support from compiler, linker and dynamic linker. Even
when everything seems in place, it can be unreliable. On many ARM
toolchains, compiler and linker support is here but the dynamic
linker doesn't know how to handle that. It is also reported that
NetBSD/ppc or Solaris/x86 doesn't work correctly. Therefore, it is
too difficult to detect proper support at configure time (notably
with cross-compilation). Some OS (like OpenBSD, or Gentoo) come
with automatic PIE support. No need to do anyhing special for
them.

People wanting to enable PIE should now use --enable-pie.

diff --git a/NEWS b/NEWS
index 0d2a8559dff7ee87ab381fa2a05fddd62c60cbb0..f641c8e191e8e8dfa139652f0f19bf492bc6a146 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ lldpd (0.8.0)
     + Change the numeric value for LLDP-MED policy L2 priority value
       for "Best effort" to 0 to match 802.1D-2004.
   * Change:
+    + PIE is now disabled by default. It's too difficult to reliably
+      detect if it works. Use --enable-pie to enable it.
     + Retrieve the permanent MAC address of an interface through
       ethtool for Linux if /proc/net/bonding is not available.
     + Running lldpd with "-d" will keep the process in foreground but

diff --git a/configure.ac b/configure.ac
index f4c0a64a0eb0b53ca6a3f15331c0a1e474d91697..3e3461d4ce12f50ce532a5bccab3e39582e565a4 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -96,12 +96,19 @@ AC_ARG_ENABLE([hardening],
     [Enable compiler and linker options to frustrate memory corruption exploits @<:@default=yes@:>@])],
   [hardening="$enableval"],
   [hardening="yes"])
+AC_ARG_ENABLE([pie],
+  [AS_HELP_STRING([--enable-pie],
+    [Enable PIE (position independant executable) @<:@default=no@:>@])],
+  [pie="$enableval"],
+  [pie="no"])
 
 if test x"$hardening" != x"no"; then
   AX_CFLAGS_GCC_OPTION([-fstack-protector], [LLDP_CFLAGS])
   AX_CFLAGS_GCC_OPTION([-fstack-protector-all], [LLDP_CFLAGS])
   AX_CFLAGS_GCC_OPTION([-fstack-protector-strong], [LLDP_CFLAGS])
   AX_CFLAGS_GCC_OPTION([-D_FORTIFY_SOURCE=2], [LLDP_CPPFLAGS])
+fi
+if test x"$pie" = x"yes"; then
   AX_CFLAGS_GCC_OPTION([-fPIE], [LLDP_CFLAGS])
   AX_LDFLAGS_OPTION([-fPIE -pie], [LLDP_BIN_LDFLAGS],
     [AX_LDFLAGS_OPTION([-fPIE -Wl,-pie], [LLDP_BIN_LDFLAGS])])

diff --git a/debian/rules b/debian/rules
index 854c11fd9604c37b10e104710832a809cfc39ce5..42a8ce025e78efb9fe05799f2428eeed4d0fd54e 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -4,5 +4,5 @@ include /usr/share/cdbs/1/rules/debhelper.mk
 include /usr/share/cdbs/1/rules/autoreconf.mk
 include /usr/share/cdbs/1/class/autotools.mk
 
-DEB_CONFIGURE_EXTRA_FLAGS = --with-snmp --with-xml --with-json
+DEB_CONFIGURE_EXTRA_FLAGS = --with-snmp --with-xml --with-json --enable-pie
 DEB_CONFIGURE_EXTRA_FLAGS += --with-systemdsystemunitdir=/lib/systemd/system

diff --git a/redhat/lldpd.spec b/redhat/lldpd.spec
index 7690d967dd6a5c3f31d898a98b33f44c095b65ab..9f317681c735e3005b3e34e734e669ade5e43737 100644 (file)
--- a/redhat/lldpd.spec
+++ b/redhat/lldpd.spec
@@ -203,7 +203,8 @@ to adjacent network devices.
    --localstatedir=%{_localstatedir} \
    --sysconfdir=%{_sysconfdir} \
    --libdir=%{_libdir} \
-   --docdir=%{_docdir}/lldpd
+   --docdir=%{_docdir}/lldpd \
+   --enable-pie
 
 [ -f %{_includedir}/net-snmp/agent/struct.h ] || touch src/struct.h
 make %{?_smp_mflags}