Add patch to enable PIE and RELRO
Signed-off-by: Jeff Layton <jlayton@redhat.com>
This commit is contained in:
parent
bfd8da6470
commit
e0acf4cdfc
83
0001-autoconf-add-enable-pie-and-enable-relro.patch
Normal file
83
0001-autoconf-add-enable-pie-and-enable-relro.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From 60a8e227c1351dbe96e54d066daafcfa1158e432 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeff Layton <jlayton@samba.org>
|
||||||
|
Date: Mon, 9 Jul 2012 10:12:33 -0400
|
||||||
|
Subject: [PATCH] autoconf: add --enable-pie and --enable-relro
|
||||||
|
|
||||||
|
-pie and -fpie enable the building of position-independent executables,
|
||||||
|
and -Wl,-z,relro turns on read-only relocation support in gcc. These
|
||||||
|
options are important for security purposes to guard against possible
|
||||||
|
buffer overflows that lead to exploits.
|
||||||
|
|
||||||
|
Follow the example of samba here and enable these by default, but add
|
||||||
|
configure options that allow people to turn them off at build-time if
|
||||||
|
necessary.
|
||||||
|
|
||||||
|
We may also want to eventually add checks to ensure that the compiler
|
||||||
|
and linker understand these options, but I'll wait until we have some
|
||||||
|
evidence that it's needed before I expend the effort.
|
||||||
|
|
||||||
|
Reported-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
||||||
|
---
|
||||||
|
Makefile.am | 2 +-
|
||||||
|
configure.ac | 27 +++++++++++++++++++++++++++
|
||||||
|
2 files changed, 28 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index b412262..0d0b599 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
|
||||||
|
+AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 $(PIE_CFLAGS) $(RELRO_CFLAGS)
|
||||||
|
ACLOCAL_AMFLAGS = -I aclocal
|
||||||
|
|
||||||
|
root_sbindir = $(ROOTSBINDIR)
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 0dd1155..a8d0bbc 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -10,6 +10,18 @@ AC_CONFIG_MACRO_DIR(aclocal)
|
||||||
|
AM_INIT_AUTOMAKE
|
||||||
|
|
||||||
|
# "enable" options
|
||||||
|
+AC_ARG_ENABLE(pie,
|
||||||
|
+ [AC_HELP_STRING([--enable-pie],
|
||||||
|
+ [Produce position independent executables @<:@default=yes@:>@])],
|
||||||
|
+ enable_pie=$enableval,
|
||||||
|
+ enable_pie="maybe")
|
||||||
|
+
|
||||||
|
+AC_ARG_ENABLE(relro,
|
||||||
|
+ [AC_HELP_STRING([--enable-relro],
|
||||||
|
+ [Enable relocations read-only support @<:@default=yes@:>@])],
|
||||||
|
+ enable_relro=$enableval,
|
||||||
|
+ enable_relro="maybe")
|
||||||
|
+
|
||||||
|
AC_ARG_ENABLE(cifsupcall,
|
||||||
|
[AC_HELP_STRING([--enable-cifsupcall],
|
||||||
|
[Create cifs.upcall binary @<:@default=yes@:>@])],
|
||||||
|
@@ -82,6 +94,21 @@ AC_CHECK_HEADERS([arpa/inet.h ctype.h fcntl.h inttypes.h limits.h mntent.h netdb
|
||||||
|
AC_CHECK_HEADERS([sys/fsuid.h])
|
||||||
|
AC_CHECK_FUNC(setfsuid, , [AC_MSG_ERROR([System does not support setfsuid()])])
|
||||||
|
|
||||||
|
+# FIXME: add test(s) to autodisable these flags when compiler/linker don't support it
|
||||||
|
+if test $enable_pie != "no"; then
|
||||||
|
+ PIE_CFLAGS="-fpie -pie"
|
||||||
|
+else
|
||||||
|
+ PIE_CFLAGS=""
|
||||||
|
+fi
|
||||||
|
+AC_SUBST([PIE_CFLAGS])
|
||||||
|
+
|
||||||
|
+if test $enable_relro != "no"; then
|
||||||
|
+ RELRO_CFLAGS="-Wl,-z,relro"
|
||||||
|
+else
|
||||||
|
+ RELRO_CFLAGS=""
|
||||||
|
+fi
|
||||||
|
+AC_SUBST([RELRO_CFLAGS])
|
||||||
|
+
|
||||||
|
if test $enable_cifsupcall != "no"; then
|
||||||
|
AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
|
||||||
|
if test x$ac_cv_header_krb5_krb5_h != xyes ; then
|
||||||
|
--
|
||||||
|
1.7.7.6
|
||||||
|
|
31
0001-automake-revert-Werror-by-default.patch
Normal file
31
0001-automake-revert-Werror-by-default.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 74edf24d9780900f3ce15d2403c6e331b031d454 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeff Layton <jlayton@samba.org>
|
||||||
|
Date: Thu, 14 Jun 2012 10:59:18 -0400
|
||||||
|
Subject: [PATCH] automake: revert -Werror by default
|
||||||
|
|
||||||
|
I think in hindsight, that adding -Werror by default was a mistake.
|
||||||
|
cifs-utils is built in a wide range of environments and tools, and it's
|
||||||
|
very difficult to eliminate all of the possible warnings.
|
||||||
|
|
||||||
|
Let's go ahead and remove it and reduce the steady trickle of patches
|
||||||
|
that are simply to silence obscure warnings.
|
||||||
|
|
||||||
|
Cc: Suresh Jayaraman <sjayaraman@suse.com>
|
||||||
|
Signed-off-by: Jeff Layton <jlayton@samba.org>
|
||||||
|
---
|
||||||
|
Makefile.am | 2 +-
|
||||||
|
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 05729ca..b412262 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2
|
||||||
|
+AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
|
||||||
|
ACLOCAL_AMFLAGS = -I aclocal
|
||||||
|
|
||||||
|
root_sbindir = $(ROOTSBINDIR)
|
||||||
|
--
|
||||||
|
1.7.7.6
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: cifs-utils
|
Name: cifs-utils
|
||||||
Version: 5.5
|
Version: 5.5
|
||||||
Release: 1%{pre_release}%{?dist}
|
Release: 2%{pre_release}%{?dist}
|
||||||
Summary: Utilities for mounting and managing CIFS mounts
|
Summary: Utilities for mounting and managing CIFS mounts
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -12,6 +12,8 @@ URL: http://linux-cifs.samba.org/cifs-utils/
|
|||||||
BuildRoot: %{_tmppath}/%{name}-%{version}%{pre_release}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}%{pre_release}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
|
Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
|
||||||
|
Patch1: 0001-automake-revert-Werror-by-default.patch
|
||||||
|
Patch2: 0001-autoconf-add-enable-pie-and-enable-relro.patch
|
||||||
|
|
||||||
BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel
|
BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel
|
||||||
Requires: keyutils
|
Requires: keyutils
|
||||||
@ -26,6 +28,8 @@ file system.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}%{pre_release}
|
%setup -q -n %{name}-%{version}%{pre_release}
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --prefix=/usr
|
%configure --prefix=/usr
|
||||||
@ -60,6 +64,10 @@ rm -rf %{buildroot}
|
|||||||
%config(noreplace) %{_sysconfdir}/request-key.d/cifs.spnego.conf
|
%config(noreplace) %{_sysconfdir}/request-key.d/cifs.spnego.conf
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 09 2012 Jeff Layton <jlayton@redhat.com> 5.5-2
|
||||||
|
- remove -Werror flag
|
||||||
|
- enable PIE and RELRO
|
||||||
|
|
||||||
* Wed May 30 2012 Jeff Layton <jlayton@redhat.com> 5.5-1
|
* Wed May 30 2012 Jeff Layton <jlayton@redhat.com> 5.5-1
|
||||||
- update to 5.5
|
- update to 5.5
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user