From: Aki Tuomi <cmouse@desteem.org>
Date: Tue, 16 Dec 2014 11:06:48 +0000 (+0200)
Subject: Pie, Relro and stack protector support
X-Git-Tag: rec-3.7.0-rc1~109^2~3^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d0354b189c12e1e14f5309d3b49935c17f9eeb0;p=thirdparty%2Fpdns.git

Pie, Relro and stack protector support
---

diff --git a/pdns/Makefile-recursor b/pdns/Makefile-recursor
index 7822783304..f540c86440 100644
--- a/pdns/Makefile-recursor
+++ b/pdns/Makefile-recursor
@@ -4,9 +4,9 @@ BINDIR=/usr/bin/
 SYSCONFDIR=/etc/powerdns/
 LOCALSTATEDIR=/var/run/
 OPTFLAGS?=-O3
-CXXFLAGS:= $(CXXFLAGS) -Iext/rapidjson/include -I$(CURDIR)/ext/polarssl/include -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -pthread -Iext/yahttp
-CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -I$(CURDIR)/ext/polarssl/include -pthread
-LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread
+CXXFLAGS:= $(CXXFLAGS) -Iext/rapidjson/include -I$(CURDIR)/ext/polarssl/include -Wall @CF_PIE@ @CF_FORTIFY@ @CF_STACK@ $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -pthread -Iext/yahttp
+CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) @CF_PIE@ @CF_FORTIFY@ @CF_STACK@ $(PROFILEFLAGS) $(ARCHFLAGS) -I$(CURDIR)/ext/polarssl/include -pthread
+LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread @LD_RELRO@ @LD_PIE@
 STRIP_BINARIES?=1
 
 LINKCC=$(CXX)
@@ -16,7 +16,7 @@ CC?=gcc
 
 # static dependencies
 
-PDNS_RECURSOR_OBJECTS=syncres.o  misc.o unix_utility.o qtype.o logger.o  \
+PDNS_RECURSOR_OBJECTS=syncres.o misc.o unix_utility.o qtype.o logger.o \
 arguments.o lwres.o pdns_recursor.o recursor_cache.o dnsparser.o \
 dnswriter.o dnsrecords.o rcpgenerator.o base64.o zoneparser-tng.o \
 rec_channel.o rec_channel_rec.o selectmplexer.o sillyrecords.o \
@@ -56,7 +56,7 @@ else
 	STATICFLAGS=-lstdc++ $(LUALIBS) -ldl -lm -static 
 	LINKCC=$(CC)
    else
-	LDFLAGS +=  $(LUALIBS)
+	LDFLAGS += $(LUALIBS)
    endif
 endif
 
@@ -91,7 +91,7 @@ message:
 
 basic_checks: 
 	@-rm -f pdns_hw
-	-$(CXX) $(CXXFLAGS)  pdns_hw.cc -o pdns_hw 
+	-$(CXX) $(CXXFLAGS) pdns_hw.cc -o pdns_hw
 	@echo
 	@if test -x ./pdns_hw ; \
 		 then if ./pdns_hw; then echo Everything ok, now run $(MAKE) using same settings \(if any\) you passed ./configure; else echo Could compile binary, but not run it, read README please ; fi; \
diff --git a/pdns/build-recursor b/pdns/build-recursor
index 993fb12828..6f5f431600 100755
--- a/pdns/build-recursor
+++ b/pdns/build-recursor
@@ -9,7 +9,7 @@ then
 else
 	DEBPKGNAME=pdns-recursor_$1
 fi
-
+./configure
 dh_make -e powerdns.support@powerdns.com -s -f ../pdns-recursor-$1.tar.bz2 -p $DEBPKGNAME < /dev/null
 cp pdns-recursor.init.d debian/init.d
 #[ -e debian/control ] || dh_make -e powerdns.support@powerdns.com -s -r cdbs  -f ../pdns-recursor-$1.tar.bz2  < /dev/null
@@ -18,6 +18,6 @@ perl -i -pe 's/Description: <.*>/Description: extremely powerful and versatile r
 perl -i -pe 's/(Build-Depends: .*)/$1, libboost-dev, libboost-serialization-dev, liblua5.1-0-dev/' debian/control
 export LUA=1
 export STATIC=semi
+./configure
 fakeroot debian/rules binary
 fakeroot rpmbuild -bb ../pdns-recursor.spec
- 
diff --git a/pdns/configure-recursor b/pdns/configure-recursor
index d69172d61a..19fd66d8c6 100755
--- a/pdns/configure-recursor
+++ b/pdns/configure-recursor
@@ -1,7 +1,77 @@
 #!/bin/sh
+set -e
+
+if [ "$CXX" = "" ]; then
+  CXX="g++"
+fi
+
+if [ "$STATIC" = "" ]; then
+  STATIC="no"
+fi
+
+set -u
+
+LD_RELRO=""
+CF_PIE=""
+LD_PIE=""
+CF_FORTIFY=""
+CF_STACK=""
+
+test_flags() {
+  # test for relocation
+
+  if $CXX -Wl,-help 2>/dev/null | grep -q 'z relro'; then
+    export LD_RELRO="-Wl,-z -Wl,relro"
+    if $CXX -Wl,-help 2>/dev/null | grep -q 'z now'; then
+      export LD_RELRO="$LD_RELRO -Wl,-z -Wl,now"
+    fi
+  fi
+
+  src=conftest.cc
+  cat >$src <<EOF
+int
+main ()
+{
+  return 0;
+}
+EOF
+  # test for PIE
+
+  if $CXX $src -c -o a.out -fPIE -fPIC -DPIE; then
+    export CF_PIE="-fPIE -fPIC -DPIE"
+    if [ "$STATIC" != "semi" ] && [ "$STATIC" != "full" ] && $CXX -pie -o a2.out a.out; then
+      export LD_PIE="-pie"
+    fi
+    rm -f a2.out
+    rm -f a.out
+  fi
+
+  # test for fortified source
+  if $CXX $src -c -o a.out -O3 -D_FORTIFY_SOURCE=2; then
+    export CF_FORTIFY="-D_FORTIFY_SOURCE=2"
+    rm -f a.out
+  fi
+
+  # test for stack protector
+  if $CXX $src -c -o a.out -O3 -fstack-protector; then
+    export CF_STACK="-fstack-protector"
+    if $CXX $src -c -o a.out -O3 -fstack-protector --param ssp-buffer-size=4; then
+      export CF_STACK="$CF_STACK --param ssp-buffer-size=4"
+    fi
+    rm -f a.out
+  fi
+
+  rm -f $src
+}
+
+test_flags
+
+sed -e "s/@LD_RELRO@/$LD_RELRO/g" -e "s/@LD_PIE@/$LD_PIE/g" -e "s/@CF_PIE@/$CF_PIE/g" -e "s/@CF_FORTIFY@/$CF_FORTIFY/g" -e "s/@CF_STACK@/$CF_STACK/g" < Makefile.in > Makefile 
+
 echo Testing dependencies and compiler.
 
-GMAKE=`which gmake`
+GMAKE=`which gmake || echo ""`
+
 if test -z "$GMAKE"
 then
 	make basic_checks
diff --git a/pdns/dist-recursor b/pdns/dist-recursor
index b61a032495..cfa5616a6e 100755
--- a/pdns/dist-recursor
+++ b/pdns/dist-recursor
@@ -47,7 +47,7 @@ DIRNAME=pdns-recursor-$VERSION
 rm -rf $DIRNAME
 mkdir  $DIRNAME
 cp $INCLUDES $CFILES $DIRNAME
-cp Makefile-recursor $DIRNAME/Makefile
+cp Makefile-recursor $DIRNAME/Makefile.in
 cp README-recursor $DIRNAME/README
 cp ../COPYING ../NOTICE $DIRNAME/
 cp config-recursor.h $DIRNAME/config.h