diff options
author | Marek Polacek <polacek@redhat.com> | 2022-11-10 16:33:03 -0500 |
---|---|---|
committer | Marek Polacek <polacek@redhat.com> | 2022-11-22 20:32:18 -0500 |
commit | 251c72a68af3a8b0638705b73ef120ffdf0053eb (patch) | |
tree | a187b2e4bcfa9277983d2fa35fb5af088c4a3a87 /c++tools | |
parent | d0e4cdb48b75434f27e6874c5b7c386eb167f340 (diff) | |
download | gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.zip gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.gz gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.bz2 |
configure: Implement --enable-host-pie
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
Diffstat (limited to 'c++tools')
-rw-r--r-- | c++tools/Makefile.in | 11 | ||||
-rwxr-xr-x | c++tools/configure | 17 | ||||
-rw-r--r-- | c++tools/configure.ac | 11 |
3 files changed, 31 insertions, 8 deletions
diff --git a/c++tools/Makefile.in b/c++tools/Makefile.in index d6a3361..4d5a5b0 100644 --- a/c++tools/Makefile.in +++ b/c++tools/Makefile.in @@ -28,8 +28,9 @@ AUTOCONF := @AUTOCONF@ AUTOHEADER := @AUTOHEADER@ CXX := @CXX@ CXXFLAGS := @CXXFLAGS@ -PIEFLAG := @PIEFLAG@ -CXXOPTS := $(CXXFLAGS) $(PIEFLAG) -fno-exceptions -fno-rtti +PICFLAG := @PICFLAG@ +LD_PICFLAG := @LD_PICFLAG@ +CXXOPTS := $(CXXFLAGS) $(PICFLAG) -fno-exceptions -fno-rtti LDFLAGS := @LDFLAGS@ exeext := @EXEEXT@ LIBIBERTY := ../libiberty/libiberty.a @@ -88,11 +89,15 @@ ifeq (@CXX_AUX_TOOLS@,yes) all::g++-mapper-server$(exeext) +ifneq ($(PICFLAG),) +override LIBIBERTY := ../libiberty/pic/libiberty.a +endif + MAPPER.O := server.o resolver.o CODYLIB = ../libcody/libcody.a CXXINC += -I$(srcdir)/../libcody -I$(srcdir)/../include -I$(srcdir)/../gcc -I. -I../gcc g++-mapper-server$(exeext): $(MAPPER.O) $(CODYLIB) - +$(CXX) $(LDFLAGS) $(PIEFLAG) -o $@ $^ $(LIBIBERTY) $(NETLIBS) + +$(CXX) $(LDFLAGS) $(PICFLAG) $(LD_PICFLAG) -o $@ $^ $(LIBIBERTY) $(NETLIBS) # copy to gcc dir so tests there can run all::../gcc/g++-mapper-server$(exeext) diff --git a/c++tools/configure b/c++tools/configure index 742816e..8808700 100755 --- a/c++tools/configure +++ b/c++tools/configure @@ -627,7 +627,8 @@ get_gcc_base_ver EGREP GREP CXXCPP -PIEFLAG +LD_PICFLAG +PICFLAG MAINTAINER CXX_AUX_TOOLS AUTOHEADER @@ -700,6 +701,7 @@ enable_c___tools enable_maintainer_mode enable_checking enable_default_pie +enable_host_pie with_gcc_major_version_only ' ac_precious_vars='build_alias @@ -1333,6 +1335,7 @@ Optional Features: only specific categories of checks. Categories are: yes,no,all,none,release. --enable-default-pie enable Position Independent Executable as default + --enable-host-pie build host code as PIE Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -2990,12 +2993,20 @@ fi # Check whether --enable-default-pie was given. # Check whether --enable-default-pie was given. if test "${enable_default_pie+set}" = set; then : - enableval=$enable_default_pie; PIEFLAG=-fPIE + enableval=$enable_default_pie; PICFLAG=-fPIE else - PIEFLAG= + PICFLAG= fi +# Enable --enable-host-pie +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; PICFLAG=-fPIE; LD_PICFLAG=-pie +fi + + + # Check if O_CLOEXEC is defined by fcntl diff --git a/c++tools/configure.ac b/c++tools/configure.ac index 6662b5a..1e42689 100644 --- a/c++tools/configure.ac +++ b/c++tools/configure.ac @@ -102,8 +102,15 @@ fi AC_ARG_ENABLE(default-pie, [AS_HELP_STRING([--enable-default-pie], [enable Position Independent Executable as default])], -[PIEFLAG=-fPIE], [PIEFLAG=]) -AC_SUBST([PIEFLAG]) +[PICFLAG=-fPIE], [PICFLAG=]) + +# Enable --enable-host-pie +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])], +[PICFLAG=-fPIE; LD_PICFLAG=-pie], []) +AC_SUBST(PICFLAG) +AC_SUBST(LD_PICFLAG) # Check if O_CLOEXEC is defined by fcntl AC_CACHE_CHECK(for O_CLOEXEC, ac_cv_o_cloexec, [ |