From f515c238bcf8627a2b2c7548a43fc02e00c4eedf Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 5 Dec 2022 12:34:12 -0700 Subject: [PATCH] Move PIE executable checks to m4/pie.m4 --- MANIFEST | 1 + aclocal.m4 | 1 + configure | 81 +++++++++++++++++++++++++++------------------------- configure.ac | 52 +-------------------------------- m4/pie.m4 | 54 +++++++++++++++++++++++++++++++++++ 5 files changed, 99 insertions(+), 90 deletions(-) create mode 100644 m4/pie.m4 diff --git a/MANIFEST b/MANIFEST index da6da8324..68a2e7633 100644 --- a/MANIFEST +++ b/MANIFEST @@ -431,6 +431,7 @@ m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 +m4/pie.m4 m4/python.m4 m4/runlog.m4 m4/sanitizer.m4 diff --git a/aclocal.m4 b/aclocal.m4 index db6648baa..762f79644 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -24,6 +24,7 @@ m4_include([m4/ltoptions.m4]) m4_include([m4/ltsugar.m4]) m4_include([m4/ltversion.m4]) m4_include([m4/lt~obsolete.m4]) +m4_include([m4/pie.m4]) m4_include([m4/python.m4]) m4_include([m4/runlog.m4]) m4_include([m4/sanitizer.m4]) diff --git a/configure b/configure index d41c5c02c..ae4833566 100755 --- a/configure +++ b/configure @@ -31602,18 +31602,19 @@ fi ;; esac -if test -n "$GCC"; then - if test -z "$enable_pie"; then - case "$host_os" in - linux*) - # Attempt to build with PIE support - enable_pie="maybe" - ;; - esac - fi - if test -n "$enable_pie"; then - if test "$enable_pie" = "no"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 + + if test -n "$GCC"; then + if test X"$enable_pie" = X""; then + case "$host_os" in + linux*) + # Attempt to build with PIE support + enable_pie="maybe" + ;; + esac + fi + if test X"$enable_pie" != X""; then + if test "$enable_pie" = "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 printf %s "checking whether C compiler accepts -fno-pie... " >&6; } if test ${ax_cv_check_cflags___fno_pie+y} then : @@ -31649,9 +31650,9 @@ printf "%s\n" "$ax_cv_check_cflags___fno_pie" >&6; } if test "x$ax_cv_check_cflags___fno_pie" = xyes then : - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-pie" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-pie" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 printf %s "checking whether the linker accepts -nopie... " >&6; } if test ${ax_cv_check_ldflags___nopie+y} then : @@ -31688,23 +31689,23 @@ printf "%s\n" "$ax_cv_check_ldflags___nopie" >&6; } if test x"$ax_cv_check_ldflags___nopie" = xyes then : - PIE_CFLAGS="-fno-pie" - PIE_LDFLAGS="-nopie" + PIE_CFLAGS="-fno-pie" + PIE_LDFLAGS="-nopie" else case e in #( e) : ;; esac fi - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" else case e in #( e) : ;; esac fi - else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 + else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 printf %s "checking whether C compiler accepts -fPIE... " >&6; } if test ${ax_cv_check_cflags___fPIE+y} then : @@ -31740,9 +31741,9 @@ printf "%s\n" "$ax_cv_check_cflags___fPIE" >&6; } if test "x$ax_cv_check_cflags___fPIE" = xyes then : - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fPIE" - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 printf %s "checking whether the linker accepts -pie... " >&6; } if test ${ax_cv_check_ldflags___pie+y} then : @@ -31779,7 +31780,7 @@ printf "%s\n" "$ax_cv_check_ldflags___pie" >&6; } if test x"$ax_cv_check_ldflags___pie" = xyes then : - if test "$enable_pie" = "maybe"; then + if test "$enable_pie" = "maybe"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5 printf %s "checking for working PIE support... " >&6; } @@ -31819,32 +31820,32 @@ then : enable_pie=yes fi - fi - if test "$enable_pie" = "yes"; then - PIE_CFLAGS="-fPIE" - PIE_LDFLAGS="-Wc,-fPIE -pie" - fi + fi + if test "$enable_pie" = "yes"; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-Wc,-fPIE -pie" + fi else case e in #( e) : ;; esac fi - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" else case e in #( e) : ;; esac fi + fi fi fi -fi -if test "$enable_pie" != "yes"; then - # Solaris 11.1 and higher supports tagging binaries to use ASLR - case "$host_os" in - solaris2.1[1-9]|solaris2.[2-9][0-9]) - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5 + if test X"$enable_pie" != X"yes"; then + # Solaris 11.1 and higher supports tagging binaries to use ASLR + case "$host_os" in + solaris2.1[1-9]|solaris2.[2-9][0-9]) + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,aslr" >&5 printf %s "checking whether the linker accepts -Wl,-z,aslr... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_aslr+y} then : @@ -31881,6 +31882,7 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_aslr" >&6; } if test x"$ax_cv_check_ldflags___Wl__z_aslr" = xyes then : + if test ${PIE_LDFLAGS+y} then : @@ -31914,14 +31916,15 @@ else case e in #( esac fi + else case e in #( e) : ;; esac fi - ;; - esac -fi + ;; + esac + fi if test -n "$GCC"; then diff --git a/configure.ac b/configure.ac index abd52aab3..cef994bc8 100644 --- a/configure.ac +++ b/configure.ac @@ -4568,57 +4568,7 @@ case "$OS" in ;; esac -dnl -dnl Check for PIE executable support if using gcc. -dnl This test relies on AC_LANG_WERROR -dnl -if test -n "$GCC"; then - if test -z "$enable_pie"; then - case "$host_os" in - linux*) - # Attempt to build with PIE support - enable_pie="maybe" - ;; - esac - fi - if test -n "$enable_pie"; then - if test "$enable_pie" = "no"; then - AX_CHECK_COMPILE_FLAG([-fno-pie], [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-pie" - AX_CHECK_LINK_FLAG([-nopie], [ - PIE_CFLAGS="-fno-pie" - PIE_LDFLAGS="-nopie" - ]) - CFLAGS="$_CFLAGS" - ]) - else - AX_CHECK_COMPILE_FLAG([-fPIE], [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fPIE" - AX_CHECK_LINK_FLAG([-pie], [ - if test "$enable_pie" = "maybe"; then - SUDO_WORKING_PIE([enable_pie=yes], []) - fi - if test "$enable_pie" = "yes"; then - PIE_CFLAGS="-fPIE" - PIE_LDFLAGS="-Wc,-fPIE -pie" - fi - ]) - CFLAGS="$_CFLAGS" - ]) - fi - fi -fi -if test "$enable_pie" != "yes"; then - # Solaris 11.1 and higher supports tagging binaries to use ASLR - case "$host_os" in - solaris2.1[[1-9]]|solaris2.[[2-9]][[0-9]]) - AX_CHECK_LINK_FLAG([-Wl,-z,aslr], [AX_APPEND_FLAG([-Wl,-z,aslr], [PIE_LDFLAGS])]) - ;; - esac -fi - +SUDO_CHECK_PIE_SUPPORT SUDO_SYMBOL_VISIBILITY SUDO_CHECK_SANITIZER SUDO_CHECK_HARDENING diff --git a/m4/pie.m4 b/m4/pie.m4 new file mode 100644 index 000000000..297818aaf --- /dev/null +++ b/m4/pie.m4 @@ -0,0 +1,54 @@ +AC_DEFUN([SUDO_CHECK_PIE_SUPPORT], [ + dnl + dnl Check for PIE executable support if using gcc. + dnl This test relies on AC_LANG_WERROR + dnl + if test -n "$GCC"; then + if test X"$enable_pie" = X""; then + case "$host_os" in + linux*) + # Attempt to build with PIE support + enable_pie="maybe" + ;; + esac + fi + if test X"$enable_pie" != X""; then + if test "$enable_pie" = "no"; then + AX_CHECK_COMPILE_FLAG([-fno-pie], [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-pie" + AX_CHECK_LINK_FLAG([-nopie], [ + PIE_CFLAGS="-fno-pie" + PIE_LDFLAGS="-nopie" + ]) + CFLAGS="$_CFLAGS" + ]) + else + AX_CHECK_COMPILE_FLAG([-fPIE], [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + AX_CHECK_LINK_FLAG([-pie], [ + if test "$enable_pie" = "maybe"; then + SUDO_WORKING_PIE([enable_pie=yes], []) + fi + if test "$enable_pie" = "yes"; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-Wc,-fPIE -pie" + fi + ]) + CFLAGS="$_CFLAGS" + ]) + fi + fi + fi + if test X"$enable_pie" != X"yes"; then + # Solaris 11.1 and higher supports tagging binaries to use ASLR + case "$host_os" in + solaris2.1[[1-9]]|solaris2.[[2-9]][[0-9]]) + AX_CHECK_LINK_FLAG([-Wl,-z,aslr], [ + AX_APPEND_FLAG([-Wl,-z,aslr], [PIE_LDFLAGS]) + ]) + ;; + esac + fi +])