mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Add support for gcc compiler/linker hardening flags.
This patch adds support for two new configure options: '--enable-gcc-hardening' This sets CFLAGS to include: "-D_FORTIFY_SOURCE=2 -fstack-protector-all" "-fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security" "-Wpointer-sign" It sets LDFLAGS to include: "-pie" '--enable-linker-hardening' This sets LDFLAGS to include: " -z relro -z now"
This commit is contained in:
parent
c7114568c2
commit
04fa935e02
12
changes/compileTimeHardening
Normal file
12
changes/compileTimeHardening
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
Add two new configure flags:
|
||||||
|
--enable-gcc-hardening
|
||||||
|
This turns on gcc compile time hardening options. It ensures that
|
||||||
|
signed ints have defined behavior (-fwrapv), -D_FORTIFY_SOURCE=2 is
|
||||||
|
enabled (requiring -O2), stack smashing protection with canaries
|
||||||
|
(-fstack-protector-all), ASLR protection if supported by the kernel
|
||||||
|
(-fPIE, -pie). Additional security related warnings are enabled.
|
||||||
|
Verified as working on Mac OS X and Debian Lenny.
|
||||||
|
|
||||||
|
--enable-linker-hardening
|
||||||
|
This turns on ELF specific hardening features (relro, now). This does
|
||||||
|
not work with Mac OS X or any other non-ELF binary format.
|
21
configure.in
21
configure.in
@ -90,6 +90,27 @@ AC_ARG_ENABLE(gcc-warnings,
|
|||||||
AC_ARG_ENABLE(gcc-warnings-advisory,
|
AC_ARG_ENABLE(gcc-warnings-advisory,
|
||||||
AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror]))
|
AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror]))
|
||||||
|
|
||||||
|
dnl Adam shostack suggests the following for Windows:
|
||||||
|
dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
|
||||||
|
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
||||||
|
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
|
||||||
|
AC_ARG_ENABLE(gcc-hardening,
|
||||||
|
AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
|
||||||
|
[if test x$enableval = xyes; then
|
||||||
|
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
|
||||||
|
CFLAGS+=" -fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security"
|
||||||
|
CFLAGS+=" -Wpointer-sign"
|
||||||
|
LDFLAGS+=" -pie"
|
||||||
|
fi])
|
||||||
|
|
||||||
|
dnl Linker hardening options
|
||||||
|
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
||||||
|
AC_ARG_ENABLE(linker-hardening,
|
||||||
|
AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
|
||||||
|
[if test x$enableval = xyes; then
|
||||||
|
LDFLAGS+=" -z relro -z now"
|
||||||
|
fi])
|
||||||
|
|
||||||
AC_ARG_ENABLE(local-appdata,
|
AC_ARG_ENABLE(local-appdata,
|
||||||
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
|
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
|
||||||
if test "$enable_local_appdata" = "yes"; then
|
if test "$enable_local_appdata" = "yes"; then
|
||||||
|
Loading…
Reference in New Issue
Block a user