2
0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00

Move hardening checks to m4/hardening.m4

This commit is contained in:
Todd C. Miller 2022-12-05 12:32:53 -07:00
parent 8718fc2083
commit 5bf5a4e26c
5 changed files with 356 additions and 342 deletions

View File

@ -425,6 +425,7 @@ m4/ax_check_link_flag.m4
m4/ax_func_getaddrinfo.m4
m4/ax_func_snprintf.m4
m4/ax_prog_cc_for_build.m4
m4/hardening.m4
m4/libtool.m4
m4/ltoptions.m4
m4/ltsugar.m4

1
aclocal.m4 vendored
View File

@ -18,6 +18,7 @@ m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/ax_func_getaddrinfo.m4])
m4_include([m4/ax_func_snprintf.m4])
m4_include([m4/ax_prog_cc_for_build.m4])
m4_include([m4/hardening.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])

284
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.72a for sudo 1.9.12p1.
# Generated by GNU Autoconf 2.72a.69-9c123-dirty for sudo 1.9.12p1.
#
# Report bugs to <https://bugzilla.sudo.ws/>.
#
@ -1992,7 +1992,7 @@ test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
sudo configure 1.9.12p1
generated by GNU Autoconf 2.72a
generated by GNU Autoconf 2.72a.69-9c123-dirty
Copyright (C) 2022 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
@ -2670,7 +2670,7 @@ This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by sudo $as_me 1.9.12p1, which was
generated by GNU Autoconf 2.72a. Invocation command line was
generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was
$ $0$ac_configure_args_raw
@ -31432,104 +31432,6 @@ EOF
fi
if test "$enable_hardening" != "no"; then
O_CPPFLAGS="$CPPFLAGS"
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -D_FORTIFY_SOURCE=2 "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5
(: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
CPPFLAGS=-D_FORTIFY_SOURCE=2
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5
printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; }
if test ${sudo_cv_use_fortify_source+y}
then :
printf %s "(cached) " >&6
else case e in #(
e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
char buf[4]; (void)sprintf(buf, "%s", "foo");
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
sudo_cv_use_fortify_source=yes
else case e in #(
e) sudo_cv_use_fortify_source=no
;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
sudo_cv_use_fortify_source=yes
else case e in #(
e) sudo_cv_use_fortify_source=no
;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5
printf "%s\n" "$sudo_cv_use_fortify_source" >&6; }
if test "$sudo_cv_use_fortify_source" != yes; then
CPPFLAGS="$O_CPPFLAGS"
fi
fi
ac_c_werror_flag=yes
@ -33042,7 +32944,109 @@ fi
esac
fi
if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then
if test "$enable_hardening" != "no"; then
#
# Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support
# it but libc does not, __sprintf_chk should be an undefined symbol.
#
O_CPPFLAGS="$CPPFLAGS"
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -D_FORTIFY_SOURCE=2 "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5
(: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else case e in #(
e)
CPPFLAGS=-D_FORTIFY_SOURCE=2
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5
printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; }
if test ${sudo_cv_use_fortify_source+y}
then :
printf %s "(cached) " >&6
else case e in #(
e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
char buf[4]; (void)sprintf(buf, "%s", "foo");
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
sudo_cv_use_fortify_source=yes
else case e in #(
e) sudo_cv_use_fortify_source=no
;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
sudo_cv_use_fortify_source=yes
else case e in #(
e) sudo_cv_use_fortify_source=no
;;
esac
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
;;
esac
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5
printf "%s\n" "$sudo_cv_use_fortify_source" >&6; }
if test "$sudo_cv_use_fortify_source" != yes; then
CPPFLAGS="$O_CPPFLAGS"
fi
if test "$enable_ssp" != "no"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5
printf %s "checking for compiler stack protector support... " >&6; }
if test ${sudo_cv_var_stack_protector+y}
@ -33050,9 +33054,10 @@ then :
printf %s "(cached) " >&6
else case e in #(
e)
# Avoid CFLAGS since the compiler might optimize away our test.
# We don't want CPPFLAGS or LIBS to interfere with the test but
# keep LDFLAGS as it may have an rpath needed to find the ssp lib.
# Avoid CFLAGS since the compiler might optimize away our
# test. We don't want CPPFLAGS or LIBS to interfere with
# the test but keep LDFLAGS as it may have an rpath needed
# to find the ssp lib.
_CPPFLAGS="$CPPFLAGS"
_CFLAGS="$CFLAGS"
_LDFLAGS="$LDFLAGS"
@ -33154,7 +33159,7 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; }
HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
fi
fi
if test "$enable_hardening" != "no"; then
# The gcc front-end may accept -fstack-clash-protection even if the
# machine-specific code does not support it. We use a test program
# with a large stack allocation to try to cause the compiler to
@ -33260,6 +33265,7 @@ fi
fi
# Check for control-flow transfer instrumentation (Intel CET).
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5
printf %s "checking whether C compiler accepts -fcf-protection... " >&6; }
if test ${ax_cv_check_cflags___fcf_protection+y}
@ -33413,6 +33419,8 @@ else case e in #(
esac
fi
# Linker-specific hardening flags.
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
printf %s "checking whether the linker accepts -Wl,-z,relro... " >&6; }
if test ${ax_cv_check_ldflags___Wl__z_relro+y}
@ -33450,21 +33458,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes
then :
if test ${LDFLAGS+y}
if test ${HARDENING_LDFLAGS+y}
then :
case " $LDFLAGS " in #(
case " $HARDENING_LDFLAGS " in #(
*" -Wl,-z,relro "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,relro"; } >&5
(: LDFLAGS already contains -Wl,-z,relro) 2>&5
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,relro"; } >&5
(: HARDENING_LDFLAGS already contains -Wl,-z,relro) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -Wl,-z,relro"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
as_fn_append HARDENING_LDFLAGS " -Wl,-z,relro"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -33473,9 +33481,9 @@ esac
else case e in #(
e)
LDFLAGS=-Wl,-z,relro
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
HARDENING_LDFLAGS=-Wl,-z,relro
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -33525,21 +33533,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_now" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes
then :
if test ${LDFLAGS+y}
if test ${HARDENING_LDFLAGS+y}
then :
case " $LDFLAGS " in #(
case " $HARDENING_LDFLAGS " in #(
*" -Wl,-z,now "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,now"; } >&5
(: LDFLAGS already contains -Wl,-z,now) 2>&5
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,now"; } >&5
(: HARDENING_LDFLAGS already contains -Wl,-z,now) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -Wl,-z,now"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
as_fn_append HARDENING_LDFLAGS " -Wl,-z,now"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -33548,9 +33556,9 @@ esac
else case e in #(
e)
LDFLAGS=-Wl,-z,now
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
HARDENING_LDFLAGS=-Wl,-z,now
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -33600,21 +33608,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_noexecstack" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_noexecstack" = xyes
then :
if test ${LDFLAGS+y}
if test ${HARDENING_LDFLAGS+y}
then :
case " $LDFLAGS " in #(
case " $HARDENING_LDFLAGS " in #(
*" -Wl,-z,noexecstack "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,noexecstack"; } >&5
(: LDFLAGS already contains -Wl,-z,noexecstack) 2>&5
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,noexecstack"; } >&5
(: HARDENING_LDFLAGS already contains -Wl,-z,noexecstack) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LDFLAGS " -Wl,-z,noexecstack"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
as_fn_append HARDENING_LDFLAGS " -Wl,-z,noexecstack"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -33623,9 +33631,9 @@ esac
else case e in #(
e)
LDFLAGS=-Wl,-z,noexecstack
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
(: LDFLAGS="$LDFLAGS") 2>&5
HARDENING_LDFLAGS=-Wl,-z,noexecstack
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
(: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
@ -34960,7 +34968,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# values after options handling.
ac_log="
This file was extended by sudo $as_me 1.9.12p1, which was
generated by GNU Autoconf 2.72a. Invocation command line was
generated by GNU Autoconf 2.72a.69-9c123-dirty. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
@ -35028,7 +35036,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
sudo config.status 1.9.12p1
configured by $0, generated by GNU Autoconf 2.72a,
configured by $0, generated by GNU Autoconf 2.72a.69-9c123-dirty,
with options \\"\$ac_cs_config\\"
Copyright (C) 2022 Free Software Foundation, Inc.

View File

@ -4533,35 +4533,6 @@ SUDO_VARDIR
SUDO_IO_LOGDIR
SUDO_TZDIR
dnl
dnl Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support
dnl it but libc does not, __sprintf_chk should be an undefined symbol.
dnl
if test "$enable_hardening" != "no"; then
O_CPPFLAGS="$CPPFLAGS"
AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS])
AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified],
[sudo_cv_use_fortify_source],
[AC_LINK_IFELSE([
AC_LANG_PROGRAM(
[[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
)],
[sudo_cv_use_fortify_source=yes],
[sudo_cv_use_fortify_source=no]
)
]
[AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[]], [[]])],
[sudo_cv_use_fortify_source=yes],
[sudo_cv_use_fortify_source=no]
)
]
)
if test "$sudo_cv_use_fortify_source" != yes; then
CPPFLAGS="$O_CPPFLAGS"
fi
fi
dnl
dnl Turn warnings into errors.
dnl All compiler/loader tests after this point will fail if
@ -4844,91 +4815,7 @@ if test "$enable_pie" != "yes"; then
esac
fi
dnl
dnl Check for -fstack-protector and -z relro support
dnl This test relies on AC_LANG_WERROR
dnl
if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then
AC_CACHE_CHECK([for compiler stack protector support],
[sudo_cv_var_stack_protector],
[
# Avoid CFLAGS since the compiler might optimize away our test.
# We don't want CPPFLAGS or LIBS to interfere with the test but
# keep LDFLAGS as it may have an rpath needed to find the ssp lib.
_CPPFLAGS="$CPPFLAGS"
_CFLAGS="$CFLAGS"
_LDFLAGS="$LDFLAGS"
_LIBS="$LIBS"
CPPFLAGS=
LIBS=
sudo_cv_var_stack_protector="-fstack-protector-strong"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector="-fstack-protector-all"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector="-fstack-protector"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector=no
])
])
])
CPPFLAGS="$_CPPFLAGS"
CFLAGS="$_CFLAGS"
LDFLAGS="$_LDFLAGS"
LIBS="$_LIBS"
]
)
if test X"$sudo_cv_var_stack_protector" != X"no"; then
HARDENING_CFLAGS="$sudo_cv_var_stack_protector"
HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
fi
fi
if test "$enable_hardening" != "no"; then
# The gcc front-end may accept -fstack-clash-protection even if the
# machine-specific code does not support it. We use a test program
# with a large stack allocation to try to cause the compiler to
# insert the stack clash protection code, or fail if not supported.
AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
[sudo_cv_check_cflags___fstack_clash_protection],
[
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fstack-clash-protection"
AC_COMPILE_IFELSE([
AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]])
], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
CFLAGS="$_CFLAGS"
]
)
if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
fi
AX_CHECK_COMPILE_FLAG([-fcf-protection], [
AX_CHECK_LINK_FLAG([-fcf-protection], [
AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
])
])
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])])
AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])])
AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])])
fi
SUDO_CHECK_HARDENING
dnl
dnl Use passwd auth module?

117
m4/hardening.m4 Normal file
View File

@ -0,0 +1,117 @@
AC_DEFUN([SUDO_CHECK_HARDENING], [
if test "$enable_hardening" != "no"; then
#
# Attempt to use _FORTIFY_SOURCE with sprintf. If the headers support
# it but libc does not, __sprintf_chk should be an undefined symbol.
#
O_CPPFLAGS="$CPPFLAGS"
AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS])
AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified],
[sudo_cv_use_fortify_source],
[AC_LINK_IFELSE([
AC_LANG_PROGRAM(
[[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
)],
[sudo_cv_use_fortify_source=yes],
[sudo_cv_use_fortify_source=no]
)
]
[AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[]], [[]])],
[sudo_cv_use_fortify_source=yes],
[sudo_cv_use_fortify_source=no]
)
]
)
if test "$sudo_cv_use_fortify_source" != yes; then
CPPFLAGS="$O_CPPFLAGS"
fi
dnl
dnl The following tests rely on AC_LANG_WERROR.
dnl
if test "$enable_ssp" != "no"; then
AC_CACHE_CHECK([for compiler stack protector support],
[sudo_cv_var_stack_protector],
[
# Avoid CFLAGS since the compiler might optimize away our
# test. We don't want CPPFLAGS or LIBS to interfere with
# the test but keep LDFLAGS as it may have an rpath needed
# to find the ssp lib.
_CPPFLAGS="$CPPFLAGS"
_CFLAGS="$CFLAGS"
_LDFLAGS="$LDFLAGS"
_LIBS="$LIBS"
CPPFLAGS=
LIBS=
sudo_cv_var_stack_protector="-fstack-protector-strong"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector="-fstack-protector-all"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector="-fstack-protector"
CFLAGS="$sudo_cv_var_stack_protector"
LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
AC_LINK_IFELSE([
AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
[[char buf[1024]; buf[1023] = '\0';]])
], [], [
sudo_cv_var_stack_protector=no
])
])
])
CPPFLAGS="$_CPPFLAGS"
CFLAGS="$_CFLAGS"
LDFLAGS="$_LDFLAGS"
LIBS="$_LIBS"
]
)
if test X"$sudo_cv_var_stack_protector" != X"no"; then
HARDENING_CFLAGS="$sudo_cv_var_stack_protector"
HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
fi
fi
# The gcc front-end may accept -fstack-clash-protection even if the
# machine-specific code does not support it. We use a test program
# with a large stack allocation to try to cause the compiler to
# insert the stack clash protection code, or fail if not supported.
AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
[sudo_cv_check_cflags___fstack_clash_protection],
[
_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fstack-clash-protection"
AC_COMPILE_IFELSE([
AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]])
], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
CFLAGS="$_CFLAGS"
]
)
if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
fi
# Check for control-flow transfer instrumentation (Intel CET).
AX_CHECK_COMPILE_FLAG([-fcf-protection], [
AX_CHECK_LINK_FLAG([-fcf-protection], [
AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
])
])
# Linker-specific hardening flags.
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])])
AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [HARDENING_LDFLAGS])])
AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [HARDENING_LDFLAGS])])
fi])