Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (70 sloc) 2.67 KB
AC_PREREQ([2.60])
AC_INIT([autoharden], [1.0])
AM_INIT_AUTOMAKE([-Wall -Werror foreign])
AC_CONFIG_SRCDIR([src/main.cc])
AC_PROG_CC
AC_PROG_CXX
# We want to check for compiler flag support, but there is no way to make
# clang's "argument unused" warning fatal. So we invoke the compiler through a
# wrapper script that greps for this message.
saved_CC="$CC"
saved_CXX="$CXX"
saved_LD="$LD"
flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
CC="$flag_wrap $CC"
CXX="$flag_wrap $CXX"
LD="$flag_wrap $LD"
# We use the same hardening flags for C and C++. We must check that each flag
# is supported by both compilers.
AC_DEFUN([check_cc_cxx_flag],
[AC_LANG_PUSH(C)
AX_CHECK_COMPILE_FLAG([$1],
[AC_LANG_PUSH(C++)
AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])
AC_LANG_POP(C++)],
[$3], [-Werror $4])
AC_LANG_POP(C)])
AC_DEFUN([check_link_flag],
[AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])])
AC_ARG_ENABLE([hardening],
[AS_HELP_STRING([--enable-hardening],
[Enable compiler and linker options to frustrate memory corruption exploits @<:@yes@:>@])],
[hardening="$enableval"],
[hardening="yes"])
HARDEN_CFLAGS=""
HARDEN_LDFLAGS=""
AS_IF([test x"$hardening" != x"no"], [
check_cc_cxx_flag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"])
# This one will likely succeed, even on platforms where it does nothing.
check_cc_cxx_flag([-D_FORTIFY_SOURCE=2], [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"])
check_cc_cxx_flag([-fstack-protector-all],
[check_link_flag([-fstack-protector-all],
[HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-protector-all"
check_cc_cxx_flag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"],
[], [-fstack-protector-all])
check_cc_cxx_flag([--param ssp-buffer-size=1], [HARDEN_CFLAGS="$HARDEN_CFLAGS --param ssp-buffer-size=1"],
[], [-fstack-protector-all])])])
# At the link step, we might want -pie (GCC) or -Wl,-pie (Clang on OS X)
#
# The linker checks also compile code, so we need to include -fPIE as well.
check_cc_cxx_flag([-fPIE],
[check_link_flag([-fPIE -pie],
[HARDEN_CFLAGS="$HARDEN_CFLAGS -fPIE"
HARDEN_LDFLAGS="$HARDEN_LDFLAGS -pie"],
[check_link_flag([-fPIE -Wl,-pie],
[HARDEN_CFLAGS="$HARDEN_CFLAGS -fPIE"
HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-pie"])])])
check_link_flag([-Wl,-z,relro],
[HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro"
check_link_flag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])])])
AC_SUBST([HARDEN_CFLAGS])
AC_SUBST([HARDEN_LDFLAGS])
# End of flag tests.
CC="$saved_CC"
CXX="$saved_CXX"
LD="$saved_LD"
AC_CONFIG_FILES([
Makefile
src/Makefile
])
AC_OUTPUT