Anyone see any reason not to add these extra compiler/linker flags if
they're supported?
Index: aclocal.m4
==================================================================RCS file:
/home/dtucker/openssh/cvs/openssh/aclocal.m4,v
retrieving revision 1.8
diff -u -p -r1.8 aclocal.m4
--- aclocal.m4 20 May 2011 01:45:25 -0000 1.8
+++ aclocal.m4 17 Dec 2012 03:56:32 -0000
@@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
)
}])
+dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+dnl Check that $LD accepts a flag 'check_flag'. If it is supported
append
+dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not
specified, then append
+dnl 'check_flag'.
+AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+ AC_MSG_CHECKING([if $LD supports $1])
+ saved_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS $1"
+ _define_flag="$2"
+ test "x$_define_flag" = "x" &&
_define_flag="$1"
+ AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
+ [ AC_MSG_RESULT([yes])
+ LDFLAGS="$saved_LDFLAGS $_define_flag"],
+ [ AC_MSG_RESULT([no])
+ LDFLAGS="$saved_LDFLAGS" ]
+ )
+}])
dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
Index: configure.ac
==================================================================RCS file:
/home/dtucker/openssh/cvs/openssh/configure.ac,v
retrieving revision 1.499
diff -u -p -r1.499 configure.ac
--- configure.ac 12 Dec 2012 21:18:56 -0000 1.499
+++ configure.ac 17 Dec 2012 03:57:01 -0000
@@ -164,6 +164,11 @@ if test "$GCC" = "yes" || test
"$GCC" =
OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
+ OSSH_CHECK_CFLAG_COMPILE([-fPIC])
+ OSSH_CHECK_LDFLAG_LINK([-pie])
+ OSSH_CHECK_LDFLAG_LINK([-Wa,--noexecstack])
+ OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
+ OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
AC_MSG_CHECKING([gcc version])
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
On Fri, 21 Dec 2012, Darren Tucker wrote:> Anyone see any reason not to add these extra compiler/linker flags if > they're supported?I think the risk is that some of these features need crt0/ld.so assistance to work that might be absent, causing the programs to link but fail to execute. Is this a problem in practice? I have no idea :) I'm not opposed to you committing this diff while we are still in development mode to help find out though.> + OSSH_CHECK_CFLAG_COMPILE([-fPIC])Isn't fPIE more usual?> + OSSH_CHECK_LDFLAG_LINK([-pie]) > + OSSH_CHECK_LDFLAG_LINK([-Wa,--noexecstack]) > + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) > + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
On Dec 21 11:43, Darren Tucker wrote:> Anyone see any reason not to add these extra compiler/linker flags if > they're supported? > > Index: aclocal.m4 > ==================================================================> RCS file: /home/dtucker/openssh/cvs/openssh/aclocal.m4,v > retrieving revision 1.8 > diff -u -p -r1.8 aclocal.m4 > --- aclocal.m4 20 May 2011 01:45:25 -0000 1.8 > +++ aclocal.m4 17 Dec 2012 03:56:32 -0000 > @@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ > ) > }]) > > +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) > +dnl Check that $LD accepts a flag 'check_flag'. If it is supported append > +dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append > +dnl 'check_flag'. > +AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ > + AC_MSG_CHECKING([if $LD supports $1]) > + saved_LDFLAGS="$LDFLAGS" > + LDFLAGS="$LDFLAGS $1" > + _define_flag="$2" > + test "x$_define_flag" = "x" && _define_flag="$1" > + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], > + [ AC_MSG_RESULT([yes]) > + LDFLAGS="$saved_LDFLAGS $_define_flag"], > + [ AC_MSG_RESULT([no]) > + LDFLAGS="$saved_LDFLAGS" ] > + ) > +}]) > > dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) > dnl Does AC_EGREP_HEADER on 'header' for the string 'field' > Index: configure.ac > ==================================================================> RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v > retrieving revision 1.499 > diff -u -p -r1.499 configure.ac > --- configure.ac 12 Dec 2012 21:18:56 -0000 1.499 > +++ configure.ac 17 Dec 2012 03:57:01 -0000 > @@ -164,6 +164,11 @@ if test "$GCC" = "yes" || test "$GCC" = > OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) > OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) > OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) > + OSSH_CHECK_CFLAG_COMPILE([-fPIC]) > + OSSH_CHECK_LDFLAG_LINK([-pie]) > + OSSH_CHECK_LDFLAG_LINK([-Wa,--noexecstack])Shouldn't that be OSSH_CHECK_CFLAG_COMPILE([-Wa,--noexecstack]) ? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat
Apparently Analagous Threads
- additional compiler hardening flags
- vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"
- add Spectre variant 2 mitigations
- vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"
- vanilla build of 7.7p1 release on linux/4.17 fails with gcc8 @ "/usr/bin/ld: unrecognized option '-Wl,-z,retpolineplt'"