Add --enable-cfi ./configure flag to enable clangs' Control Flow Inte…

…grity
rockdaboot · Jun 19, 2017 · 6d85166 · 6d85166
1 parent fb2b898
commit 6d85166
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 26 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -3,44 +3,51 @@ dist: trusty
 
 language: c
 
+env:
 compiler:
   - gcc
   - clang-3.8
 
 branches:
-    only:
-        - master
-        - clang-cfi
+  only:
+    - master
+    - clang-cfi
 
 env:
-    - RUNTIME=libicu
-    - RUNTIME=libidn2
-    - RUNTIME=libidn
-    - RUNTIME=no
+  - RUNTIME=libicu
+  - RUNTIME=libidn2
+  - RUNTIME=libidn
+  - RUNTIME=no
 
 addons:
-    apt:
-        packages:
-            - automake
-            - autoconf
-            - autopoint
-            - libtool
-            - gtk-doc-tools
-            - gettext
-            - libidn11-dev
-            - libidn2-0-dev
-            - libicu-dev
-            - libunistring-dev
-            - lcov
-            - clang-3.8
+  apt:
+    packages:
+      - automake
+      - autoconf
+      - autopoint
+      - libtool
+      - gtk-doc-tools
+      - gettext
+      - libidn11-dev
+      - libidn2-0-dev
+      - libicu-dev
+      - libunistring-dev
+      - lcov
+      - clang-3.8
+      - llvm-3.8-dev
+      - llvm-dev
 
 script:
   - ./autogen.sh
-  - ./configure && make -j4 && make check -j4
-  - ./configure --enable-runtime=$RUNTIME --enable-builtin=libicu && make clean && make -j4 && make check -j4
-  - ./configure --enable-runtime=$RUNTIME --enable-builtin=libidn2 && make clean && make -j4 && make check -j4
-  - ./configure --enable-runtime=$RUNTIME --enable-builtin=libidn && make clean && make -j4 && make check -j4
-  - ./configure --enable-runtime=$RUNTIME --disable-builtin && make clean && make -j4 && make check -j4
+#  CFI doesn't work out on Ubuntu 14.04 (Trusty). They dont't include LLVMgold.so for clang-3.8.
+#  clang-3.4 doesn't know CFI yet.
+#  The only chance with Travis-CI is to switch to docker and use Ubuntu 16.04 or whatever.
+#  - if [[ $CC == "gcc" ]]; then CFI=""; else CFI="--enable-cfi"; fi
+  - ./configure $CFI && make -j4 && make check -j4 || (cat config.log; ls -la /usr/lib/*gold*)
+  - ./configure $CFI --enable-runtime=$RUNTIME --enable-builtin=libicu && make clean && make -j4 && make check -j4
+  - ./configure $CFI --enable-runtime=$RUNTIME --enable-builtin=libidn2 && make clean && make -j4 && make check -j4
+  - ./configure $CFI --enable-runtime=$RUNTIME --enable-builtin=libidn && make clean && make -j4 && make check -j4
+  - ./configure $CFI --enable-runtime=$RUNTIME --disable-builtin && make clean && make -j4 && make check -j4
   - ./configure --enable-gtk-doc && make -j4 && make check -j4
   - make distcheck
   - if [[ $CC == "gcc" && $RUNTIME == "libicu" ]]; then ./.travis_coveralls.sh; fi
diff --git a/configure.ac b/configure.ac
@@ -77,6 +77,23 @@ AM_PATH_PYTHON([2.7])
 
 PKG_PROG_PKG_CONFIG
 
+AC_ARG_ENABLE([cfi],
+  [AS_HELP_STRING([--enable-cfi], [Turn on clang's Control Flow Integrity (CFI) (for developers)])],
+  [
+    clang_cfi=$enableval;
+    if test "$enableval" = yes; then
+      CFLAGS=$CFLAGS" -B/usr/bin/gold -fsanitize=cfi -flto -fvisibility=default -fno-sanitize-trap=all"
+      AC_LINK_IFELSE([
+        AC_LANG_PROGRAM([], [])
+      ], [], [
+        AC_MSG_ERROR([clang 3.7+ and the 'gold' linker are required for --enable-cfi])
+      ])
+    else
+      clang_cfi=no
+    fi
+  ],
+  [clang_cfi=no])
+
 # Define these substitions here to keep all version information in one place.
 # For information on how to properly maintain the library version information,
 # refer to the libtool manual, section "Updating library version information":
@@ -287,6 +304,7 @@ AC_MSG_NOTICE([Summary of build options:
   CFlags:            ${CFLAGS} ${CPPFLAGS}
   LDFlags:           ${LDFLAGS}
   Libs:              ${LIBS}
+  CFI:               ${clang_cfi}
   Runtime:           ${enable_runtime}
   Builtin:           ${enable_builtin}
   PSL Dist File:     ${PSL_DISTFILE}