diff --git a/changes/bug5210 b/changes/bug5210 new file mode 100644 index 0000000000..b07e7f1f23 --- /dev/null +++ b/changes/bug5210 @@ -0,0 +1,2 @@ + o Security fixes: + - Enable gcc and ld hardening by default. Fixes bug 5210. diff --git a/configure.in b/configure.in index 7415ce8312..4a3ed0e6c3 100644 --- a/configure.in +++ b/configure.in @@ -122,19 +122,23 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, - AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks), + AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks), + [], + [enableval=yes;]) [if test x$enableval = xyes; then CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" CFLAGS="$CFLAGS --param ssp-buffer-size=1" LDFLAGS="$LDFLAGS -pie" -fi]) +fi] dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, - AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups), -[if test x$enableval = xyes; then + AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups), + [], + [enableval=yes;]) +AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then LDFLAGS="$LDFLAGS -z relro -z now" fi])