isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

When checking for -fstack-protector, treat warnings as fatal errors.

Browse Source
This commit is contained in:
Todd C. Miller
2012-05-24 11:03:10 -04:00
parent e54a007263
commit 7720a7fc89
2 changed files with 133 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
configure vendored
View File

@@ -612,6 +612,7 @@ ac_includes_default="\
# include <unistd.h> # include <unistd.h>
#endif" #endif"
ac_c_werror_flag=
ac_subst_vars='LTLIBOBJS ac_subst_vars='LTLIBOBJS
KRB5CONFIG KRB5CONFIG
LIBOBJS LIBOBJS
@@ -14645,115 +14646,6 @@ $as_echo "$sudo_cv_var_gcc_static_libgcc" >&6; }
LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc" LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
fi fi
fi fi
if test "$enable_hardening" != "no"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5
$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; }
if ${ax_cv_check_cflags___fstack_protector+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fstack-protector"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fstack_protector=yes
else
ax_cv_check_cflags___fstack_protector=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5
$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; }
if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then :
CFLAGS="${CFLAGS} -fstack-protector"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5
$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; }
if ${ax_cv_check_ldflags___fstack_protector+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -fstack-protector"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___fstack_protector=yes
else
ax_cv_check_ldflags___fstack_protector=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5
$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; }
if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then :
LDFLAGS="${LDFLAGS} -fstack-protector"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,relro"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_relro=yes
else
ax_cv_check_ldflags___Wl__z_relro=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
LDFLAGS="${LDFLAGS} -Wl,-z,relro"
else
:
fi
fi
for ac_prog in 'bison -y' byacc for ac_prog in 'bison -y' byacc
do do
@@ -20167,6 +20059,122 @@ EOF
$as_echo "$iolog_dir" >&6; } $as_echo "$iolog_dir" >&6; }
if test "$enable_hardening" != "no"; then
ac_c_werror_flag=yes
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5
$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; }
if ${ax_cv_check_cflags___fstack_protector+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fstack-protector"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fstack_protector=yes
else
ax_cv_check_cflags___fstack_protector=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5
$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; }
if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5
$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; }
if ${ax_cv_check_ldflags___fstack_protector+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -fstack-protector"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___fstack_protector=yes
else
ax_cv_check_ldflags___fstack_protector=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5
$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; }
if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then :
CFLAGS="${CFLAGS} -fstack-protector"
LDFLAGS="${LDFLAGS} -fstack-protector"
else
:
fi
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,relro"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_relro=yes
else
ax_cv_check_ldflags___Wl__z_relro=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
LDFLAGS="${LDFLAGS} -Wl,-z,relro"
else
:
fi
fi
case "$with_passwd" in case "$with_passwd" in
yes|maybe) yes|maybe)
AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo" AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"

24
configure.in
View File

@@ -1977,14 +1977,6 @@ if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc" LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
fi fi
fi fi
dnl
dnl Check for -fstack-protector and -z relro support
dnl
if test "$enable_hardening" != "no"; then
AX_CHECK_COMPILE_FLAG([-fstack-protector], [CFLAGS="${CFLAGS} -fstack-protector"])
AX_CHECK_LINK_FLAG([-fstack-protector], [LDFLAGS="${LDFLAGS} -fstack-protector"])
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"])
fi
dnl dnl
dnl Program checks dnl Program checks
@@ -3161,6 +3153,22 @@ SUDO_LOGFILE
SUDO_TIMEDIR SUDO_TIMEDIR
SUDO_IO_LOGDIR SUDO_IO_LOGDIR
dnl
dnl Check for -fstack-protector and -z relro support
dnl This must be towards the end as it turns warnings
dnl into fatal errors (and there is no way to undo that)
dnl
if test "$enable_hardening" != "no"; then
AC_LANG_WERROR
AX_CHECK_COMPILE_FLAG([-fstack-protector], [
AX_CHECK_LINK_FLAG([-fstack-protector], [
CFLAGS="${CFLAGS} -fstack-protector"
LDFLAGS="${LDFLAGS} -fstack-protector"
])
])
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"])
fi
dnl dnl
dnl Use passwd auth module? dnl Use passwd auth module?
dnl dnl