diff --git a/MANIFEST b/MANIFEST index d2ef4d17c..e85b5d297 100644 --- a/MANIFEST +++ b/MANIFEST @@ -425,6 +425,7 @@ m4/ax_check_link_flag.m4 m4/ax_func_getaddrinfo.m4 m4/ax_func_snprintf.m4 m4/ax_prog_cc_for_build.m4 +m4/hardening.m4 m4/libtool.m4 m4/ltoptions.m4 m4/ltsugar.m4 diff --git a/aclocal.m4 b/aclocal.m4 index ffabc7f24..239cafa26 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -18,6 +18,7 @@ m4_include([m4/ax_check_link_flag.m4]) m4_include([m4/ax_func_getaddrinfo.m4]) m4_include([m4/ax_func_snprintf.m4]) m4_include([m4/ax_prog_cc_for_build.m4]) +m4_include([m4/hardening.m4]) m4_include([m4/libtool.m4]) m4_include([m4/ltoptions.m4]) m4_include([m4/ltsugar.m4]) diff --git a/configure b/configure index 592749d21..57f0aaaf3 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72a for sudo 1.9.12p1. +# Generated by GNU Autoconf 2.72a.69-9c123-dirty for sudo 1.9.12p1. # # Report bugs to . # @@ -1992,7 +1992,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF sudo configure 1.9.12p1 -generated by GNU Autoconf 2.72a +generated by GNU Autoconf 2.72a.69-9c123-dirty Copyright (C) 2022 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation @@ -2670,7 +2670,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by sudo $as_me 1.9.12p1, which was -generated by GNU Autoconf 2.72a. Invocation command line was +generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was $ $0$ac_configure_args_raw @@ -31432,104 +31432,6 @@ EOF fi -if test "$enable_hardening" != "no"; then - O_CPPFLAGS="$CPPFLAGS" - -if test ${CPPFLAGS+y} -then : - - case " $CPPFLAGS " in #( - *" -D_FORTIFY_SOURCE=2 "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5 - (: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } ;; #( - *) : - - as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 - (: CPPFLAGS="$CPPFLAGS") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - ;; -esac - -else case e in #( - e) - CPPFLAGS=-D_FORTIFY_SOURCE=2 - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 - (: CPPFLAGS="$CPPFLAGS") 2>&5 - ac_status=$? - printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - ;; -esac -fi - - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5 -printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; } -if test ${sudo_cv_use_fortify_source+y} -then : - printf %s "(cached) " >&6 -else case e in #( - e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main (void) -{ -char buf[4]; (void)sprintf(buf, "%s", "foo"); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - sudo_cv_use_fortify_source=yes -else case e in #( - e) sudo_cv_use_fortify_source=no - ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main (void) -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - sudo_cv_use_fortify_source=yes -else case e in #( - e) sudo_cv_use_fortify_source=no - ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - - ;; -esac -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5 -printf "%s\n" "$sudo_cv_use_fortify_source" >&6; } - if test "$sudo_cv_use_fortify_source" != yes; then - CPPFLAGS="$O_CPPFLAGS" - fi -fi - ac_c_werror_flag=yes @@ -33042,67 +32944,128 @@ fi esac fi -if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5 + + if test "$enable_hardening" != "no"; then + # + # Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support + # it but libc does not, __sprintf_chk should be an undefined symbol. + # + O_CPPFLAGS="$CPPFLAGS" + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" -D_FORTIFY_SOURCE=2 "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5 + (: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else case e in #( + e) + CPPFLAGS=-D_FORTIFY_SOURCE=2 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5 +printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; } +if test ${sudo_cv_use_fortify_source+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main (void) +{ +char buf[4]; (void)sprintf(buf, "%s", "foo"); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + sudo_cv_use_fortify_source=yes +else case e in #( + e) sudo_cv_use_fortify_source=no + ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + sudo_cv_use_fortify_source=yes +else case e in #( + e) sudo_cv_use_fortify_source=no + ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + + ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5 +printf "%s\n" "$sudo_cv_use_fortify_source" >&6; } + if test "$sudo_cv_use_fortify_source" != yes; then + CPPFLAGS="$O_CPPFLAGS" + fi + + if test "$enable_ssp" != "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5 printf %s "checking for compiler stack protector support... " >&6; } if test ${sudo_cv_var_stack_protector+y} then : printf %s "(cached) " >&6 else case e in #( e) - # Avoid CFLAGS since the compiler might optimize away our test. - # We don't want CPPFLAGS or LIBS to interfere with the test but - # keep LDFLAGS as it may have an rpath needed to find the ssp lib. - _CPPFLAGS="$CPPFLAGS" - _CFLAGS="$CFLAGS" - _LDFLAGS="$LDFLAGS" - _LIBS="$LIBS" - CPPFLAGS= - LIBS= + # Avoid CFLAGS since the compiler might optimize away our + # test. We don't want CPPFLAGS or LIBS to interfere with + # the test but keep LDFLAGS as it may have an rpath needed + # to find the ssp lib. + _CPPFLAGS="$CPPFLAGS" + _CFLAGS="$CFLAGS" + _LDFLAGS="$LDFLAGS" + _LIBS="$LIBS" + CPPFLAGS= + LIBS= - sudo_cv_var_stack_protector="-fstack-protector-strong" - CFLAGS="$sudo_cv_var_stack_protector" - LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - $ac_includes_default -int -main (void) -{ -char buf[1024]; buf[1023] = '\0'; - ; - return 0; -} - -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - -else case e in #( - e) - sudo_cv_var_stack_protector="-fstack-protector-all" - CFLAGS="$sudo_cv_var_stack_protector" - LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - $ac_includes_default -int -main (void) -{ -char buf[1024]; buf[1023] = '\0'; - ; - return 0; -} - -_ACEOF -if ac_fn_c_try_link "$LINENO" -then : - -else case e in #( - e) - sudo_cv_var_stack_protector="-fstack-protector" + sudo_cv_var_stack_protector="-fstack-protector-strong" CFLAGS="$sudo_cv_var_stack_protector" LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -33123,55 +33086,97 @@ then : else case e in #( e) - sudo_cv_var_stack_protector=no + sudo_cv_var_stack_protector="-fstack-protector-all" + CFLAGS="$sudo_cv_var_stack_protector" + LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + $ac_includes_default +int +main (void) +{ +char buf[1024]; buf[1023] = '\0'; + ; + return 0; +} + +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + +else case e in #( + e) + sudo_cv_var_stack_protector="-fstack-protector" + CFLAGS="$sudo_cv_var_stack_protector" + LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + $ac_includes_default +int +main (void) +{ +char buf[1024]; buf[1023] = '\0'; + ; + return 0; +} + +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + +else case e in #( + e) + sudo_cv_var_stack_protector=no + ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext + ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext - ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - ;; -esac -fi -rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext conftest.$ac_ext - CPPFLAGS="$_CPPFLAGS" - CFLAGS="$_CFLAGS" - LDFLAGS="$_LDFLAGS" - LIBS="$_LIBS" + CPPFLAGS="$_CPPFLAGS" + CFLAGS="$_CFLAGS" + LDFLAGS="$_LDFLAGS" + LIBS="$_LIBS" - ;; + ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_stack_protector" >&5 printf "%s\n" "$sudo_cv_var_stack_protector" >&6; } - if test X"$sudo_cv_var_stack_protector" != X"no"; then - HARDENING_CFLAGS="$sudo_cv_var_stack_protector" - HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" - fi -fi -if test "$enable_hardening" != "no"; then - # The gcc front-end may accept -fstack-clash-protection even if the - # machine-specific code does not support it. We use a test program - # with a large stack allocation to try to cause the compiler to - # insert the stack clash protection code, or fail if not supported. - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5 + if test X"$sudo_cv_var_stack_protector" != X"no"; then + HARDENING_CFLAGS="$sudo_cv_var_stack_protector" + HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" + fi + fi + + # The gcc front-end may accept -fstack-clash-protection even if the + # machine-specific code does not support it. We use a test program + # with a large stack allocation to try to cause the compiler to + # insert the stack clash protection code, or fail if not supported. + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5 printf %s "checking whether C compiler supports -fstack-clash-protection... " >&6; } if test ${sudo_cv_check_cflags___fstack_clash_protection+y} then : printf %s "(cached) " >&6 else case e in #( e) - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fstack-clash-protection" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; } + int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; } _ACEOF if ac_fn_c_try_compile "$LINENO" @@ -33182,14 +33187,14 @@ else case e in #( esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" - ;; + ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_check_cflags___fstack_clash_protection" >&5 printf "%s\n" "$sudo_cv_check_cflags___fstack_clash_protection" >&6; } - if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then if test ${HARDENING_CFLAGS+y} then : @@ -33258,9 +33263,10 @@ else case e in #( esac fi - fi + fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5 + # Check for control-flow transfer instrumentation (Intel CET). + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5 printf %s "checking whether C compiler accepts -fcf-protection... " >&6; } if test ${ax_cv_check_cflags___fcf_protection+y} then : @@ -33296,7 +33302,7 @@ printf "%s\n" "$ax_cv_check_cflags___fcf_protection" >&6; } if test "x$ax_cv_check_cflags___fcf_protection" = xyes then : - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5 printf %s "checking whether the linker accepts -fcf-protection... " >&6; } if test ${ax_cv_check_ldflags___fcf_protection+y} then : @@ -33413,7 +33419,9 @@ else case e in #( esac fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 + + # Linker-specific hardening flags. + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 printf %s "checking whether the linker accepts -Wl,-z,relro... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_relro+y} then : @@ -33450,21 +33458,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_relro" >&6; } if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes then : -if test ${LDFLAGS+y} +if test ${HARDENING_LDFLAGS+y} then : - case " $LDFLAGS " in #( + case " $HARDENING_LDFLAGS " in #( *" -Wl,-z,relro "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,relro"; } >&5 - (: LDFLAGS already contains -Wl,-z,relro) 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,relro"; } >&5 + (: HARDENING_LDFLAGS already contains -Wl,-z,relro) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } ;; #( *) : - as_fn_append LDFLAGS " -Wl,-z,relro" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + as_fn_append HARDENING_LDFLAGS " -Wl,-z,relro" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33473,9 +33481,9 @@ esac else case e in #( e) - LDFLAGS=-Wl,-z,relro - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + HARDENING_LDFLAGS=-Wl,-z,relro + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33488,7 +33496,7 @@ else case e in #( esac fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5 printf %s "checking whether the linker accepts -Wl,-z,now... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_now+y} then : @@ -33525,21 +33533,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_now" >&6; } if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes then : -if test ${LDFLAGS+y} +if test ${HARDENING_LDFLAGS+y} then : - case " $LDFLAGS " in #( + case " $HARDENING_LDFLAGS " in #( *" -Wl,-z,now "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,now"; } >&5 - (: LDFLAGS already contains -Wl,-z,now) 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,now"; } >&5 + (: HARDENING_LDFLAGS already contains -Wl,-z,now) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } ;; #( *) : - as_fn_append LDFLAGS " -Wl,-z,now" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + as_fn_append HARDENING_LDFLAGS " -Wl,-z,now" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33548,9 +33556,9 @@ esac else case e in #( e) - LDFLAGS=-Wl,-z,now - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + HARDENING_LDFLAGS=-Wl,-z,now + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33563,7 +33571,7 @@ else case e in #( esac fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,noexecstack" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,noexecstack" >&5 printf %s "checking whether the linker accepts -Wl,-z,noexecstack... " >&6; } if test ${ax_cv_check_ldflags___Wl__z_noexecstack+y} then : @@ -33600,21 +33608,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_noexecstack" >&6; } if test x"$ax_cv_check_ldflags___Wl__z_noexecstack" = xyes then : -if test ${LDFLAGS+y} +if test ${HARDENING_LDFLAGS+y} then : - case " $LDFLAGS " in #( + case " $HARDENING_LDFLAGS " in #( *" -Wl,-z,noexecstack "*) : - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,noexecstack"; } >&5 - (: LDFLAGS already contains -Wl,-z,noexecstack) 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,noexecstack"; } >&5 + (: HARDENING_LDFLAGS already contains -Wl,-z,noexecstack) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } ;; #( *) : - as_fn_append LDFLAGS " -Wl,-z,noexecstack" - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + as_fn_append HARDENING_LDFLAGS " -Wl,-z,noexecstack" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33623,9 +33631,9 @@ esac else case e in #( e) - LDFLAGS=-Wl,-z,noexecstack - { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5 - (: LDFLAGS="$LDFLAGS") 2>&5 + HARDENING_LDFLAGS=-Wl,-z,noexecstack + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5 + (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } @@ -33638,7 +33646,7 @@ else case e in #( esac fi -fi + fi case "$with_passwd" in yes|maybe) @@ -34960,7 +34968,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # values after options handling. ac_log=" This file was extended by sudo $as_me 1.9.12p1, which was -generated by GNU Autoconf 2.72a. Invocation command line was +generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -35028,7 +35036,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ sudo config.status 1.9.12p1 -configured by $0, generated by GNU Autoconf 2.72a, +configured by $0, generated by GNU Autoconf 2.72a.69-9c123-dirty, with options \\"\$ac_cs_config\\" Copyright (C) 2022 Free Software Foundation, Inc. diff --git a/configure.ac b/configure.ac index d2b39c428..ed395de16 100644 --- a/configure.ac +++ b/configure.ac @@ -4533,35 +4533,6 @@ SUDO_VARDIR SUDO_IO_LOGDIR SUDO_TZDIR -dnl -dnl Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support -dnl it but libc does not, __sprintf_chk should be an undefined symbol. -dnl -if test "$enable_hardening" != "no"; then - O_CPPFLAGS="$CPPFLAGS" - AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS]) - AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified], - [sudo_cv_use_fortify_source], - [AC_LINK_IFELSE([ - AC_LANG_PROGRAM( - [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] - )], - [sudo_cv_use_fortify_source=yes], - [sudo_cv_use_fortify_source=no] - ) - ] - [AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[]], [[]])], - [sudo_cv_use_fortify_source=yes], - [sudo_cv_use_fortify_source=no] - ) - ] - ) - if test "$sudo_cv_use_fortify_source" != yes; then - CPPFLAGS="$O_CPPFLAGS" - fi -fi - dnl dnl Turn warnings into errors. dnl All compiler/loader tests after this point will fail if @@ -4844,91 +4815,7 @@ if test "$enable_pie" != "yes"; then esac fi -dnl -dnl Check for -fstack-protector and -z relro support -dnl This test relies on AC_LANG_WERROR -dnl -if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then - AC_CACHE_CHECK([for compiler stack protector support], - [sudo_cv_var_stack_protector], - [ - # Avoid CFLAGS since the compiler might optimize away our test. - # We don't want CPPFLAGS or LIBS to interfere with the test but - # keep LDFLAGS as it may have an rpath needed to find the ssp lib. - _CPPFLAGS="$CPPFLAGS" - _CFLAGS="$CFLAGS" - _LDFLAGS="$LDFLAGS" - _LIBS="$LIBS" - CPPFLAGS= - LIBS= - - sudo_cv_var_stack_protector="-fstack-protector-strong" - CFLAGS="$sudo_cv_var_stack_protector" - LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" - AC_LINK_IFELSE([ - AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], - [[char buf[1024]; buf[1023] = '\0';]]) - ], [], [ - sudo_cv_var_stack_protector="-fstack-protector-all" - CFLAGS="$sudo_cv_var_stack_protector" - LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" - AC_LINK_IFELSE([ - AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], - [[char buf[1024]; buf[1023] = '\0';]]) - ], [], [ - sudo_cv_var_stack_protector="-fstack-protector" - CFLAGS="$sudo_cv_var_stack_protector" - LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" - AC_LINK_IFELSE([ - AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], - [[char buf[1024]; buf[1023] = '\0';]]) - ], [], [ - sudo_cv_var_stack_protector=no - ]) - ]) - ]) - CPPFLAGS="$_CPPFLAGS" - CFLAGS="$_CFLAGS" - LDFLAGS="$_LDFLAGS" - LIBS="$_LIBS" - ] - ) - if test X"$sudo_cv_var_stack_protector" != X"no"; then - HARDENING_CFLAGS="$sudo_cv_var_stack_protector" - HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" - fi -fi -if test "$enable_hardening" != "no"; then - # The gcc front-end may accept -fstack-clash-protection even if the - # machine-specific code does not support it. We use a test program - # with a large stack allocation to try to cause the compiler to - # insert the stack clash protection code, or fail if not supported. - AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], - [sudo_cv_check_cflags___fstack_clash_protection], - [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fstack-clash-protection" - AC_COMPILE_IFELSE([ - AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]]) - ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) - CFLAGS="$_CFLAGS" - ] - ) - if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then - AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) - fi - - AX_CHECK_COMPILE_FLAG([-fcf-protection], [ - AX_CHECK_LINK_FLAG([-fcf-protection], [ - AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) - AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) - ]) - ]) - AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])]) - AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])]) - AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])]) -fi +SUDO_CHECK_HARDENING dnl dnl Use passwd auth module? diff --git a/m4/hardening.m4 b/m4/hardening.m4 new file mode 100644 index 000000000..d4ce5ab57 --- /dev/null +++ b/m4/hardening.m4 @@ -0,0 +1,117 @@ +AC_DEFUN([SUDO_CHECK_HARDENING], [ + if test "$enable_hardening" != "no"; then + # + # Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support + # it but libc does not, __sprintf_chk should be an undefined symbol. + # + O_CPPFLAGS="$CPPFLAGS" + AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS]) + AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified], + [sudo_cv_use_fortify_source], + [AC_LINK_IFELSE([ + AC_LANG_PROGRAM( + [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]] + )], + [sudo_cv_use_fortify_source=yes], + [sudo_cv_use_fortify_source=no] + ) + ] + [AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[]], [[]])], + [sudo_cv_use_fortify_source=yes], + [sudo_cv_use_fortify_source=no] + ) + ] + ) + if test "$sudo_cv_use_fortify_source" != yes; then + CPPFLAGS="$O_CPPFLAGS" + fi + + dnl + dnl The following tests rely on AC_LANG_WERROR. + dnl + if test "$enable_ssp" != "no"; then + AC_CACHE_CHECK([for compiler stack protector support], + [sudo_cv_var_stack_protector], + [ + # Avoid CFLAGS since the compiler might optimize away our + # test. We don't want CPPFLAGS or LIBS to interfere with + # the test but keep LDFLAGS as it may have an rpath needed + # to find the ssp lib. + _CPPFLAGS="$CPPFLAGS" + _CFLAGS="$CFLAGS" + _LDFLAGS="$LDFLAGS" + _LIBS="$LIBS" + CPPFLAGS= + LIBS= + + sudo_cv_var_stack_protector="-fstack-protector-strong" + CFLAGS="$sudo_cv_var_stack_protector" + LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [], [ + sudo_cv_var_stack_protector="-fstack-protector-all" + CFLAGS="$sudo_cv_var_stack_protector" + LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [], [ + sudo_cv_var_stack_protector="-fstack-protector" + CFLAGS="$sudo_cv_var_stack_protector" + LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector" + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[char buf[1024]; buf[1023] = '\0';]]) + ], [], [ + sudo_cv_var_stack_protector=no + ]) + ]) + ]) + CPPFLAGS="$_CPPFLAGS" + CFLAGS="$_CFLAGS" + LDFLAGS="$_LDFLAGS" + LIBS="$_LIBS" + ] + ) + if test X"$sudo_cv_var_stack_protector" != X"no"; then + HARDENING_CFLAGS="$sudo_cv_var_stack_protector" + HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector" + fi + fi + + # The gcc front-end may accept -fstack-clash-protection even if the + # machine-specific code does not support it. We use a test program + # with a large stack allocation to try to cause the compiler to + # insert the stack clash protection code, or fail if not supported. + AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection], + [sudo_cv_check_cflags___fstack_clash_protection], + [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fstack-clash-protection" + AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]]) + ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no]) + CFLAGS="$_CFLAGS" + ] + ) + if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then + AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS]) + fi + + # Check for control-flow transfer instrumentation (Intel CET). + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ + AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS]) + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) + ]) + + # Linker-specific hardening flags. + AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])]) + AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [HARDENING_LDFLAGS])]) + AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [HARDENING_LDFLAGS])]) + fi])