From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 28 Aug 2015 14:27:03 +0000 (+0000)
Subject: - Feature #699: --enable-pie option to that builds PIE binary.
X-Git-Tag: release-1.5.5rc1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62146024c373c8cc7ec73936347dd162f9a876d1;p=thirdparty%2Funbound.git

- Feature #699: --enable-pie option to that builds PIE binary.
- Feature #700: --enable-relro-now option that enables full read-only
  relocation.


git-svn-id: file:///svn/unbound/trunk@3483 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/acx_nlnetlabs.m4 b/acx_nlnetlabs.m4
index decf0f586..c9ca7558d 100644
--- a/acx_nlnetlabs.m4
+++ b/acx_nlnetlabs.m4
@@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 27
+# Version 28
+# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
 # 2015-03-17 AHX_CONFIG_REALLOCARRAY added
 # 2013-09-19 FLTO help text improved.
 # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes
@@ -94,6 +95,8 @@
 # ACX_CHECK_MEMCMP_SIGNED	- check if memcmp uses signed characters.
 # AHX_MEMCMP_BROKEN		- replace memcmp func for CHECK_MEMCMP_SIGNED.
 # ACX_CHECK_SS_FAMILY           - check for sockaddr_storage.ss_family
+# ACX_CHECK_PIE			- add --enable-pie option and check if works
+# ACX_CHECK_RELRO_NOW		- add --enable-relro-now option and check it
 #
 
 dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines.
@@ -1386,4 +1389,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY],
 #endif
 ]) ])
 
+dnl Check if CC and linker support -fPIE and -pie.
+dnl If so, sets them in CFLAGS / LDFLAGS.
+AC_DEFUN([ACX_CHECK_PIE], [
+    AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)]))
+    AS_IF([test "x$enable_pie" = "xyes"], [
+	AC_MSG_CHECKING([if $CC supports PIE])
+	BAKLDFLAGS="$LDFLAGS"
+	BAKCFLAGS="$CFLAGS"
+	LDFLAGS="$LDFLAGS -pie"
+	CFLAGS="$CFLAGS -fPIE"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		AC_MSG_RESULT(no)
+	    else
+		AC_MSG_RESULT(yes)
+	    fi
+	    rm -f conftest conftest.c conftest.o
+	], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)])
+    ])
+])
+
+dnl Check if linker supports -Wl,-z,relro,-z,now.
+dnl If so, adds it to LDFLAGS.
+AC_DEFUN([ACX_CHECK_RELRO_NOW], [
+    AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)]))
+    AS_IF([test "x$enable_relro_now" = "xyes"], [
+	AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now])
+	BAKLDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		AC_MSG_RESULT(no)
+	    else
+		AC_MSG_RESULT(yes)
+	    fi
+	    rm -f conftest conftest.c conftest.o
+	], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)])
+    ])
+])
+
 dnl End of file
diff --git a/configure b/configure
index 6b0f52677..d7d320705 100755
--- a/configure
+++ b/configure
@@ -804,6 +804,8 @@ with_username
 enable_checking
 enable_debug
 enable_flto
+enable_pie
+enable_relro_now
 enable_shared
 enable_static
 with_pic
@@ -1465,6 +1467,10 @@ Optional Features:
   --enable-checking       Enable warnings, asserts, makefile-dependencies
   --enable-debug          same as enable-checking
   --disable-flto          Disable link-time optimization (gcc specific option)
+  --enable-pie            Enable Position-Independent Executable (eg. to fully
+                          benefit from ASLR, small performance penalty)
+  --enable-relro-now      Enable full relocation binding at load-time (RELRO
+                          NOW, to protect GOT and .dtor areas)
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-static[=PKGS]  build static libraries [default=yes]
   --enable-fast-install[=PKGS]
@@ -5879,6 +5885,96 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 
 
+    # Check whether --enable-pie was given.
+if test "${enable_pie+set}" = set; then :
+  enableval=$enable_pie;
+fi
+
+    if test "x$enable_pie" = "xyes"; then :
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports PIE" >&5
+$as_echo_n "checking if $CC supports PIE... " >&6; }
+	BAKLDFLAGS="$LDFLAGS"
+	BAKCFLAGS="$CFLAGS"
+	LDFLAGS="$LDFLAGS -pie"
+	CFLAGS="$CFLAGS -fPIE"
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	    else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	    fi
+	    rm -f conftest conftest.c conftest.o
+
+else
+  LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+
+    # Check whether --enable-relro_now was given.
+if test "${enable_relro_now+set}" = set; then :
+  enableval=$enable_relro_now;
+fi
+
+    if test "x$enable_relro_now" = "xyes"; then :
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC supports -Wl,-z,relro,-z,now" >&5
+$as_echo_n "checking if $CC supports -Wl,-z,relro,-z,now... " >&6; }
+	BAKLDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+	    if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then
+		LDFLAGS="$BAKLDFLAGS"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	    else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	    fi
+	    rm -f conftest conftest.c conftest.o
+
+else
+  LDFLAGS="$BAKLDFLAGS" ; { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+
+fi
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5
 $as_echo_n "checking for inline... " >&6; }
 if ${ac_cv_c_inline+:} false; then :
diff --git a/configure.ac b/configure.ac
index 3595707e7..d5d8dd921 100644
--- a/configure.ac
+++ b/configure.ac
@@ -246,6 +246,8 @@ case "$debug_enabled" in
 		;;
 esac
 ACX_CHECK_FLTO
+ACX_CHECK_PIE
+ACX_CHECK_RELRO_NOW
 
 AC_C_INLINE
 ACX_CHECK_FORMAT_ATTRIBUTE
diff --git a/doc/Changelog b/doc/Changelog
index 7dd726913..2a5a161b7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 28 August 2015: Wouter
 	- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
 	  2.4 to 2.6.
+	- Feature #699: --enable-pie option to that builds PIE binary.
+	- Feature #700: --enable-relro-now option that enables full read-only
+	  relocation.
 
 24 August 2015: Wouter
 	- Fix deadlock for local data add and zone add when unbound-control