Makefile.am | 7 ++++--
Makefile.in | 10 ++++++---
aclocal.m4 | 37 +++++++++++++++++++++++++++++++++
configure | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
configure.ac | 30 ++++++++++++++++++++++++++-
5 files changed, 142 insertions(+), 7 deletions(-)
New commits:
commit 284b16779b2840681ad52c7e9c9a4157a020245d
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Nov 12 15:32:51 2015 +1000
Ticket 48350 - configure.ac add options for debbuging and security analysis /
hardening.
https://fedorahosted.org/389/ticket/48350
Bug Description: Improve options for debugging and gcc security options.
Fix Description:
* We add -g3 to --enable-debug
* Add a new option, --enable-gcc-security that enables a number of strict
protections. These options are to match the options in rpm-build so that we
can test like-for-like options.
* Add a new option, --enable-asan. This enables GCC's address sanitization
checker. This is NOT for production, but for development and debugging.
Author: wibrown
Thanks: dblack(a)atlassian.com, for putting me onto GCC's address sanitization,
and for discussing secure development in general.
Review by: mreynolds, nhosoi (Thanks!)
diff --git a/Makefile.am b/Makefile.am
index 12a941b..bca6489 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -11,6 +11,8 @@ QUOTE := $(NULLSTRING)"# a double quote"
BUILDNUM := $(shell perl $(srcdir)/buildnum.pl)
NQBUILDNUM := $(subst \,,$(subst $(QUOTE),,$(BUILDNUM)))
DEBUG_DEFINES = @debug_defs@
+GCCSEC_DEFINES = @gccsec_defs@
+ASAN_DEFINES = @asan_defs@
# the -U undefines these symbols - should use the corresponding DS_ ones instead - see
configure.ac
DS_DEFINES = -DBUILD_NUM=$(BUILDNUM) -DVENDOR="\"$(vendor)\""
-DBRAND="\"$(brand)\""
-DCAPBRAND="\"$(capbrand)\"" \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
@@ -38,13 +40,14 @@ PATH_DEFINES =
-DLOCALSTATEDIR="\"$(localstatedir)\""
-DSYSCONFDIR="\"$(sysconfd
-DDATADIR="\"$(datadir)\""
-DDOCDIR="\"$(docdir)\"" \
-DSBINDIR="\"$(sbindir)\""
-DPLUGINDIR="\"$(serverplugindir)\""
-DTEMPLATEDIR="\"$(sampledatadir)\""
-AM_CPPFLAGS = $(DEBUG_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
+AM_CPPFLAGS = $(DEBUG_DEFINES) $(GCCSEC_DEFINES) $(ASAN_DEFINES) $(DS_DEFINES)
$(DS_INCLUDES) $(PATH_DEFINES)
PLUGIN_CPPFLAGS = $(AM_CPPFLAGS) @openldap_inc@ @ldapsdk_inc@ @nss_inc@ @nspr_inc@
# We need to make sure that libpthread is linked before libc on HP-UX.
if HPUX
AM_LDFLAGS = -lpthread
-#else
+else
#AM_LDFLAGS = -Wl,-z,defs
+AM_LDFLAGS = $(ASAN_DEFINES)
endif
#------------------------
diff --git a/Makefile.in b/Makefile.in
index d02c686..c5637ab 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1370,6 +1370,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
+asan_defs = @asan_defs@
bindir = @bindir@
brand = @brand@
build = @build@
@@ -1398,6 +1399,7 @@ defaultuser = @defaultuser@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
+gccsec_defs = @gccsec_defs@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -1506,6 +1508,8 @@ QUOTE := $(NULLSTRING)"# a double quote"
BUILDNUM := $(shell perl $(srcdir)/buildnum.pl)
NQBUILDNUM := $(subst \,,$(subst $(QUOTE),,$(BUILDNUM)))
DEBUG_DEFINES = @debug_defs@
+GCCSEC_DEFINES = @gccsec_defs@
+ASAN_DEFINES = @asan_defs@
# the -U undefines these symbols - should use the corresponding DS_ ones instead - see
configure.ac
DS_DEFINES = -DBUILD_NUM=$(BUILDNUM) -DVENDOR="\"$(vendor)\""
-DBRAND="\"$(brand)\""
-DCAPBRAND="\"$(capbrand)\"" \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
@@ -1531,12 +1535,12 @@ PATH_DEFINES =
-DLOCALSTATEDIR="\"$(localstatedir)\""
-DSYSCONFDIR="\"$(sysconfd
-DDATADIR="\"$(datadir)\""
-DDOCDIR="\"$(docdir)\"" \
-DSBINDIR="\"$(sbindir)\""
-DPLUGINDIR="\"$(serverplugindir)\""
-DTEMPLATEDIR="\"$(sampledatadir)\""
-AM_CPPFLAGS = $(DEBUG_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
+AM_CPPFLAGS = $(DEBUG_DEFINES) $(GCCSEC_DEFINES) $(ASAN_DEFINES) $(DS_DEFINES)
$(DS_INCLUDES) $(PATH_DEFINES)
PLUGIN_CPPFLAGS = $(AM_CPPFLAGS) @openldap_inc@ @ldapsdk_inc@ @nss_inc@ @nspr_inc@
+#AM_LDFLAGS = -Wl,-z,defs
+@HPUX_FALSE@AM_LDFLAGS = $(ASAN_DEFINES)
# We need to make sure that libpthread is linked before libc on HP-UX.
@HPUX_TRUE@AM_LDFLAGS = -lpthread
-#else
-#AM_LDFLAGS = -Wl,-z,defs
#------------------------
# Linker Flags
diff --git a/aclocal.m4 b/aclocal.m4
index 25206b5..5b32a97 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -329,6 +329,43 @@ AC_PREREQ([2.50])dnl
am_aux_dir=`cd $ac_aux_dir && pwd`
])
+# AM_COND_IF -*- Autoconf -*-
+
+# Copyright (C) 2008-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_COND_IF
+# _AM_COND_ELSE
+# _AM_COND_ENDIF
+# --------------
+# These macros are only used for tracing.
+m4_define([_AM_COND_IF])
+m4_define([_AM_COND_ELSE])
+m4_define([_AM_COND_ENDIF])
+
+# AM_COND_IF(COND, [IF-TRUE], [IF-FALSE])
+# ---------------------------------------
+# If the shell condition COND is true, execute IF-TRUE, otherwise execute
+# IF-FALSE. Allow automake to learn about conditional instantiating macros
+# (the AC_CONFIG_FOOS).
+AC_DEFUN([AM_COND_IF],
+[m4_ifndef([_AM_COND_VALUE_$1],
+ [m4_fatal([$0: no such condition "$1"])])dnl
+_AM_COND_IF([$1])dnl
+if test -z "$$1_TRUE"; then :
+ m4_n([$2])[]dnl
+m4_ifval([$3],
+[_AM_COND_ELSE([$1])dnl
+else
+ $3
+])dnl
+_AM_COND_ENDIF([$1])dnl
+fi[]dnl
+])
+
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2013 Free Software Foundation, Inc.
diff --git a/configure b/configure
index d4219e8..e043593 100755
--- a/configure
+++ b/configure
@@ -763,6 +763,10 @@ enable_pam_passthru_FALSE
enable_pam_passthru_TRUE
BUNDLE_FALSE
BUNDLE_TRUE
+gccsec_defs
+RPM_HARDEND_CC_FALSE
+RPM_HARDEND_CC_TRUE
+asan_defs
debug_defs
LIBOBJS
CXXCPP
@@ -909,6 +913,8 @@ with_gnu_ld
with_sysroot
enable_libtool_lock
enable_debug
+enable_asan
+enable_gcc_security
enable_bundle
enable_pam_passthru
enable_dna
@@ -1619,6 +1625,8 @@ Optional Features:
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-debug Enable debug features (default: no)
+ --enable-asan Enable gcc address sanitizer options (default: no)
+ --enable-gcc-security Enable gcc secure compilation options (default: no)
--enable-bundle Enable bundled dependencies (default: no)
--enable-pam-passthru enable the PAM passthrough auth plugin (default:
yes)
@@ -17677,7 +17685,7 @@ if test "${enable_debug+set}" = set; then :
enableval=$enable_debug;
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- debug_defs="-DDEBUG -DMCC_DEBUG"
+ debug_defs="-g3 -DDEBUG -DMCC_DEBUG"
else
@@ -17689,6 +17697,57 @@ fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-asan"
>&5
+$as_echo_n "checking for --enable-asan... " >&6; }
+# Check whether --enable-asan was given.
+if test "${enable_asan+set}" = set; then :
+ enableval=$enable_asan;
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ asan_defs="-fsanitize=address -fno-omit-frame-pointer"
+
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ asan_defs=""
+
+fi
+
+
+
+ if test -f /usr/lib/rpm/redhat/redhat-hardened-cc1; then
+ RPM_HARDEND_CC_TRUE=
+ RPM_HARDEND_CC_FALSE='#'
+else
+ RPM_HARDEND_CC_TRUE='#'
+ RPM_HARDEND_CC_FALSE=
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-gcc-security"
>&5
+$as_echo_n "checking for --enable-gcc-security... " >&6; }
+# Check whether --enable-gcc-security was given.
+if test "${enable_gcc_security+set}" = set; then :
+ enableval=$enable_gcc_security;
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ if test -z "$RPM_HARDEND_CC_TRUE"; then :
+ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 "
+else
+ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches"
+
+fi
+
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ gccsec_defs=""
+
+fi
+
+
+
# Used for legacy style packaging where we bundle all of the dependencies.
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-bundle"
>&5
$as_echo_n "checking for --enable-bundle... " >&6; }
@@ -21560,6 +21619,10 @@ if test -z "${am__fastdepCCAS_TRUE}" && test -z
"${am__fastdepCCAS_FALSE}"; then
as_fn_error $? "conditional \"am__fastdepCCAS\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${RPM_HARDEND_CC_TRUE}" && test -z
"${RPM_HARDEND_CC_FALSE}"; then
+ as_fn_error $? "conditional \"RPM_HARDEND_CC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${BUNDLE_TRUE}" && test -z "${BUNDLE_FALSE}";
then
as_fn_error $? "conditional \"BUNDLE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
diff --git a/configure.ac b/configure.ac
index f683b1c..468384c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,7 +69,7 @@ AC_MSG_CHECKING(for --enable-debug)
AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [Enable debug features (default:
no)]),
[
AC_MSG_RESULT(yes)
- debug_defs="-DDEBUG -DMCC_DEBUG"
+ debug_defs="-g3 -DDEBUG -DMCC_DEBUG"
],
[
AC_MSG_RESULT(no)
@@ -77,6 +77,34 @@ AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [Enable debug
features (de
])
AC_SUBST([debug_defs])
+AC_MSG_CHECKING(for --enable-asan)
+AC_ARG_ENABLE(asan, AS_HELP_STRING([--enable-asan], [Enable gcc address sanitizer options
(default: no)]),
+[
+ AC_MSG_RESULT(yes)
+ asan_defs="-fsanitize=address -fno-omit-frame-pointer"
+],
+[
+ AC_MSG_RESULT(no)
+ asan_defs=""
+])
+AC_SUBST([asan_defs])
+
+AM_CONDITIONAL([RPM_HARDEND_CC], [test -f /usr/lib/rpm/redhat/redhat-hardened-cc1])
+AC_MSG_CHECKING(for --enable-gcc-security)
+AC_ARG_ENABLE(gcc-security, AS_HELP_STRING([--enable-gcc-security], [Enable gcc secure
compilation options (default: no)]),
+[
+ AC_MSG_RESULT(yes)
+ AM_COND_IF([RPM_HARDEND_CC],
+ [ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 " ],
+ [ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches" ]
+ )
+],
+[
+ AC_MSG_RESULT(no)
+ gccsec_defs=""
+])
+AC_SUBST([gccsec_defs])
+
# Used for legacy style packaging where we bundle all of the dependencies.
AC_MSG_CHECKING(for --enable-bundle)
AC_ARG_ENABLE(bundle, AS_HELP_STRING([--enable-bundle], [Enable bundled dependencies
(default: no)]),