diff options
| author | Marek Polacek <polacek@redhat.com> | 2022-11-10 16:33:03 -0500 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2022-11-22 20:32:18 -0500 |
| commit | 251c72a68af3a8b0638705b73ef120ffdf0053eb (patch) | |
| tree | a187b2e4bcfa9277983d2fa35fb5af088c4a3a87 /fixincludes | |
| parent | d0e4cdb48b75434f27e6874c5b7c386eb167f340 (diff) | |
| download | gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.zip gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.gz gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.bz2 | |
configure: Implement --enable-host-pie
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
Diffstat (limited to 'fixincludes')
| -rw-r--r-- | fixincludes/Makefile.in | 14 | ||||
| -rwxr-xr-x | fixincludes/configure | 13 | ||||
| -rw-r--r-- | fixincludes/configure.ac | 8 |
3 files changed, 31 insertions, 4 deletions
diff --git a/fixincludes/Makefile.in b/fixincludes/Makefile.in index 1937dca..990c08e 100644 --- a/fixincludes/Makefile.in +++ b/fixincludes/Makefile.in @@ -30,6 +30,8 @@ CC = @CC@ CFLAGS = @CFLAGS@ WARN_CFLAGS = @WARN_CFLAGS@ @WARN_PEDANTIC@ @WERROR@ LDFLAGS = @LDFLAGS@ +PICFLAG = @PICFLAG@ +LD_PICFLAG = @LD_PICFLAG@ INCLUDES = -I. -I$(srcdir) -I../include -I$(srcdir)/../include FIXINC_CFLAGS = -DHAVE_CONFIG_H $(INCLUDES) @@ -73,7 +75,7 @@ default : all # Now figure out from those variables how to compile and link. .c.o: - $(CC) -c $(CFLAGS) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $< + $(CC) -c $(CFLAGS) $(PICFLAG) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $< # The only suffixes we want for implicit rules are .c and .o. .SUFFIXES: @@ -87,7 +89,11 @@ default : all ## ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # +ifeq ($(PICFLAG),) LIBIBERTY=../libiberty/libiberty.a +else +LIBIBERTY=../libiberty/pic/libiberty.a +endif ALLOBJ = fixincl.o fixtests.o fixfixes.o server.o procopen.o \ fixlib.o fixopts.o @@ -107,15 +113,15 @@ oneprocess : full-stamp twoprocess : test-stamp $(AF) full-stamp : $(ALLOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(ALLOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(ALLOBJ) $(LIBIBERTY) $(STAMP) $@ test-stamp : $(TESTOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(TESTOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(TESTOBJ) $(LIBIBERTY) $(STAMP) $@ $(AF): $(FIXOBJ) $(LIBIBERTY) - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(FIXOBJ) $(LIBIBERTY) + $(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $@ $(FIXOBJ) $(LIBIBERTY) $(ALLOBJ) : $(HDR) fixincl.o : fixincl.c $(srcdir)/fixincl.x diff --git a/fixincludes/configure b/fixincludes/configure index b3bca66..67a7597 100755 --- a/fixincludes/configure +++ b/fixincludes/configure @@ -623,6 +623,8 @@ ac_subst_vars='LTLIBOBJS LIBOBJS get_gcc_base_ver MAINT +LD_PICFLAG +PICFLAG TARGET target_noncanonical WERROR @@ -695,6 +697,7 @@ enable_option_checking enable_werror_always with_local_prefix enable_twoprocess +enable_host_pie enable_maintainer_mode with_gcc_major_version_only ' @@ -1323,6 +1326,7 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-werror-always enable -Werror despite compiler version --enable-twoprocess Use a separate process to apply the fixes + --enable-host-pie build host code as PIE --enable-maintainer-mode enable make rules and dependencies not useful (and sometimes confusing) to the casual installer @@ -4835,6 +4839,15 @@ $as_echo "#define SEPARATE_FIX_PROC 1" >>confdefs.h fi +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; PICFLAG=-fPIE; LD_PICFLAG=-pie +fi + + + + case $host in vax-dec-bsd* ) diff --git a/fixincludes/configure.ac b/fixincludes/configure.ac index 14813b9..ec8534f 100644 --- a/fixincludes/configure.ac +++ b/fixincludes/configure.ac @@ -68,6 +68,14 @@ if test $TARGET = twoprocess; then [Define if testing and fixing are done by separate process]) fi +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])], +[PICFLAG=-fPIE; LD_PICFLAG=-pie], []) +AC_SUBST(PICFLAG) +AC_SUBST(LD_PICFLAG) + case $host in vax-dec-bsd* ) AC_DEFINE(exit, xexit, [Define to xexit if the host system does not support atexit]) |