Permalink
Browse files

Pie, Relro and stack protector support

  • Loading branch information...
1 parent e264252 commit 8d0354b189c12e1e14f5309d3b49935c17f9eeb0 @cmouse cmouse committed Dec 16, 2014
Showing with 80 additions and 10 deletions.
  1. +6 −6 pdns/Makefile-recursor
  2. +2 −2 pdns/build-recursor
  3. +71 −1 pdns/configure-recursor
  4. +1 −1 pdns/dist-recursor
@@ -4,9 +4,9 @@ BINDIR=/usr/bin/
SYSCONFDIR=/etc/powerdns/
LOCALSTATEDIR=/var/run/
OPTFLAGS?=-O3
-CXXFLAGS:= $(CXXFLAGS) -Iext/rapidjson/include -I$(CURDIR)/ext/polarssl/include -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -pthread -Iext/yahttp
-CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -I$(CURDIR)/ext/polarssl/include -pthread
-LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread
+CXXFLAGS:= $(CXXFLAGS) -Iext/rapidjson/include -I$(CURDIR)/ext/polarssl/include -Wall @CF_PIE@ @CF_FORTIFY@ @CF_STACK@ $(OPTFLAGS) $(PROFILEFLAGS) $(ARCHFLAGS) -pthread -Iext/yahttp
+CFLAGS:=$(CFLAGS) -Wall $(OPTFLAGS) @CF_PIE@ @CF_FORTIFY@ @CF_STACK@ $(PROFILEFLAGS) $(ARCHFLAGS) -I$(CURDIR)/ext/polarssl/include -pthread
+LDFLAGS:=$(LDFLAGS) $(ARCHFLAGS) -pthread @LD_RELRO@ @LD_PIE@
STRIP_BINARIES?=1
LINKCC=$(CXX)
@@ -16,7 +16,7 @@ CC?=gcc
# static dependencies
-PDNS_RECURSOR_OBJECTS=syncres.o misc.o unix_utility.o qtype.o logger.o \
+PDNS_RECURSOR_OBJECTS=syncres.o misc.o unix_utility.o qtype.o logger.o \
arguments.o lwres.o pdns_recursor.o recursor_cache.o dnsparser.o \
dnswriter.o dnsrecords.o rcpgenerator.o base64.o zoneparser-tng.o \
rec_channel.o rec_channel_rec.o selectmplexer.o sillyrecords.o \
@@ -56,7 +56,7 @@ else
STATICFLAGS=-lstdc++ $(LUALIBS) -ldl -lm -static
LINKCC=$(CC)
else
- LDFLAGS += $(LUALIBS)
+ LDFLAGS += $(LUALIBS)
endif
endif
@@ -91,7 +91,7 @@ message:
basic_checks:
@-rm -f pdns_hw
- -$(CXX) $(CXXFLAGS) pdns_hw.cc -o pdns_hw
+ -$(CXX) $(CXXFLAGS) pdns_hw.cc -o pdns_hw
@echo
@if test -x ./pdns_hw ; \
then if ./pdns_hw; then echo Everything ok, now run $(MAKE) using same settings \(if any\) you passed ./configure; else echo Could compile binary, but not run it, read README please ; fi; \
View
@@ -9,7 +9,7 @@ then
else
DEBPKGNAME=pdns-recursor_$1
fi
-
+./configure
dh_make -e powerdns.support@powerdns.com -s -f ../pdns-recursor-$1.tar.bz2 -p $DEBPKGNAME < /dev/null
cp pdns-recursor.init.d debian/init.d
#[ -e debian/control ] || dh_make -e powerdns.support@powerdns.com -s -r cdbs -f ../pdns-recursor-$1.tar.bz2 < /dev/null
@@ -18,6 +18,6 @@ perl -i -pe 's/Description: <.*>/Description: extremely powerful and versatile r
perl -i -pe 's/(Build-Depends: .*)/$1, libboost-dev, libboost-serialization-dev, liblua5.1-0-dev/' debian/control
export LUA=1
export STATIC=semi
+./configure
fakeroot debian/rules binary
fakeroot rpmbuild -bb ../pdns-recursor.spec
-
@@ -1,7 +1,77 @@
#!/bin/sh
+set -e
+
+if [ "$CXX" = "" ]; then
+ CXX="g++"
+fi
+
+if [ "$STATIC" = "" ]; then
+ STATIC="no"
+fi
+
+set -u
+
+LD_RELRO=""
+CF_PIE=""
+LD_PIE=""
+CF_FORTIFY=""
+CF_STACK=""
+
+test_flags() {
+ # test for relocation
+
+ if $CXX -Wl,-help 2>/dev/null | grep -q 'z relro'; then
+ export LD_RELRO="-Wl,-z -Wl,relro"
+ if $CXX -Wl,-help 2>/dev/null | grep -q 'z now'; then
+ export LD_RELRO="$LD_RELRO -Wl,-z -Wl,now"
+ fi
+ fi
+
+ src=conftest.cc
+ cat >$src <<EOF
+int
+main ()
+{
+ return 0;
+}
+EOF
+ # test for PIE
+
+ if $CXX $src -c -o a.out -fPIE -fPIC -DPIE; then
+ export CF_PIE="-fPIE -fPIC -DPIE"
+ if [ "$STATIC" != "semi" ] && [ "$STATIC" != "full" ] && $CXX -pie -o a2.out a.out; then
+ export LD_PIE="-pie"
+ fi
+ rm -f a2.out
+ rm -f a.out
+ fi
+
+ # test for fortified source
+ if $CXX $src -c -o a.out -O3 -D_FORTIFY_SOURCE=2; then
+ export CF_FORTIFY="-D_FORTIFY_SOURCE=2"
+ rm -f a.out
+ fi
+
+ # test for stack protector
+ if $CXX $src -c -o a.out -O3 -fstack-protector; then
+ export CF_STACK="-fstack-protector"
+ if $CXX $src -c -o a.out -O3 -fstack-protector --param ssp-buffer-size=4; then
+ export CF_STACK="$CF_STACK --param ssp-buffer-size=4"
+ fi
+ rm -f a.out
+ fi
+
+ rm -f $src
+}
+
+test_flags
+
+sed -e "s/@LD_RELRO@/$LD_RELRO/g" -e "s/@LD_PIE@/$LD_PIE/g" -e "s/@CF_PIE@/$CF_PIE/g" -e "s/@CF_FORTIFY@/$CF_FORTIFY/g" -e "s/@CF_STACK@/$CF_STACK/g" < Makefile.in > Makefile
+
echo Testing dependencies and compiler.
-GMAKE=`which gmake`
+GMAKE=`which gmake || echo ""`
+
if test -z "$GMAKE"
then
make basic_checks
View
@@ -47,7 +47,7 @@ DIRNAME=pdns-recursor-$VERSION
rm -rf $DIRNAME
mkdir $DIRNAME
cp $INCLUDES $CFILES $DIRNAME
-cp Makefile-recursor $DIRNAME/Makefile
+cp Makefile-recursor $DIRNAME/Makefile.in
cp README-recursor $DIRNAME/README
cp ../COPYING ../NOTICE $DIRNAME/
cp config-recursor.h $DIRNAME/config.h

0 comments on commit 8d0354b

Please sign in to comment.