diff options
| author | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2007-12-21 23:54:03 +0000 |
|---|---|---|
| committer | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2007-12-21 23:54:03 +0000 |
| commit | a4924f6c45f9a65e7c380e63c8539e86c0795d60 (patch) | |
| tree | 1266c67de1c98aaf44ed8a5223be729c4e1c798a /config-scripts/cups-compiler.m4 | |
| parent | 0a6827453a0fe4a97ad37a6a1a7ffeb96a10e339 (diff) | |
Import CUPS 1.4svn-r7153.
git-svn-id: svn+ssh://src.apple.com/svn/cups/easysw/current@563 a1ca3aef-8c08-0410-bb20-df032aa958be
Diffstat (limited to 'config-scripts/cups-compiler.m4')
| -rw-r--r-- | config-scripts/cups-compiler.m4 | 61 |
1 files changed, 40 insertions, 21 deletions
diff --git a/config-scripts/cups-compiler.m4 b/config-scripts/cups-compiler.m4 index 5bfcd6a87..f3e369acb 100644 --- a/config-scripts/cups-compiler.m4 +++ b/config-scripts/cups-compiler.m4 @@ -56,9 +56,6 @@ AC_ARG_WITH(arch64flags, [ --with-arch64flags="flags" ARCH64FLAGS="" AC_SUBST(ARCH64FLAGS) -dnl Position-Independent Executable support on Linux... -AC_ARG_ENABLE(pie, [ --enable-pie use GCC -fPIE option, default=no]) - dnl Read-only data/program support on Linux... AC_ARG_ENABLE(relro, [ --enable-relro use GCC relro option, default=no]) @@ -98,36 +95,52 @@ if test -n "$GCC"; then fi fi + # Generate position-independent code as needed... if test $PICFLAG = 1 -a $uname != AIX; then OPTIM="-fPIC $OPTIM" fi - case $uname in - Linux*) - if test x$enable_pie = xyes; then - PIEFLAGS="-pie -fPIE" - fi - - if test x$enable_relro = xyes; then - RELROFLAGS="-Wl,-z,relro" - fi - ;; - - *) - if test x$enable_pie = xyes; then - echo "Sorry, --enable-pie is not supported on this OS!" - fi - ;; - esac + # The -fstack-protector option is available with some versions of + # GCC and adds "stack canaries" which detect when the return address + # has been overwritten, preventing many types of exploit attacks. + AC_MSG_CHECKING(if GCC supports -fstack-protector) + OLDCFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-protector" + AC_TRY_COMPILE(,, + OPTIM="$OPTIM -fstack-protector" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) + CFLAGS="$OLDCFLAGS" + + # The -pie option is available with some versions of GCC and adds + # randomization of addresses, which avoids another class of exploits + # that depend on a fixed address for common functions. + AC_MSG_CHECKING(if GCC supports -pie) + OLDCFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -pie -fPIE" + AC_TRY_COMPILE(,, + PIEFLAGS="-pie -fPIE" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) + CFLAGS="$OLDCFLAGS" if test "x$with_optim" = x; then # Add useful warning options for tracking down problems... OPTIM="-Wall -Wno-format-y2k $OPTIM" - # Additional warning options for alpha testing... + # Additional warning options for development testing... OPTIM="-Wshadow -Wunused $OPTIM" fi case "$uname" in + Darwin*) + # -D_FORTIFY_SOURCE=2 adds additional object size + # checking, basically wrapping all string functions + # with buffer-limited ones. Not strictly needed for + # CUPS since we already use buffer-limited calls, but + # this will catch any additions that are broken. + CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" + ;; + HP-UX*) if test "x$enable_32bit" = xyes; then # Build 32-bit libraries, 64-bit base... @@ -201,6 +214,12 @@ if test -n "$GCC"; then ;; Linux*) + # The -z relro option is provided by the Linux linker command to + # make relocatable data read-only. + if test x$enable_relro = xyes; then + RELROFLAGS="-Wl,-z,relro" + fi + if test "x$enable_32bit" = xyes; then # Build 32-bit libraries, 64-bit base... if test -z "$with_arch32flags"; then |