[Spice-devel] [PATCH spice-gtk 3/5] configure: Add an option for building the acl helper as PIE

Fri, 27 Jan 2012 08:03:03 -0800 

Josh Bressers has been so kind to review the usb-acl-helper for possible
security issues. One of his recomendations was to harden the usb-acl-helper
by building it as a Position Independent Executable.

Signed-off-by: Hans de Goede <[email protected]>
---
 configure.ac    |   26 ++++++++++++++++++++++++++
 gtk/Makefile.am |    2 ++
 2 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2b73fc1..95819a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes" && test "x$have_polkit" 
!= "xyes"; then
   AC_MSG_WARN([Building with usbredir support, but *not* building the usb acl 
helper])
 fi
 
+AC_ARG_ENABLE([pie],
+  AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@],
+                 [Enable position-independent-executable support (for the usb 
acl helper)@<:@default=auto@:>@]),
+  [],
+  [enable_pie="auto"])
+
+if test "x$have_polkit" = "xyes" && test "x$enable_pie" != "xno"; then
+   save_CFLAGS="$CFLAGS"
+   save_LDFLAGS="$LDFLAGS"
+   CFLAGS="$CFLAGS -fPIE"
+   LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
+   AC_MSG_CHECKING([for PIE support])
+   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])],
+                  [have_pie=yes],
+                  [have_pie=no])
+   AC_MSG_RESULT([$have_pie])
+   if test "x$have_pie" = "xyes"; then
+       PIE_CFLAGS="-fPIE"
+       PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+       AC_SUBST(PIE_CFLAGS)
+       AC_SUBST(PIE_LDFLAGS)
+   fi
+   CFLAGS="$save_CFLAGS"
+   LDFLAGS="$save_LDFLAGS"
+fi
+
 AC_ARG_WITH([usb-acl-helper-dir],
   AS_HELP_STRING([--with-usb-acl-helper-dir=DIR],
                  [Directory where the USB ACL helper binary should be 
installed]),
diff --git a/gtk/Makefile.am b/gtk/Makefile.am
index a244551..a5b6e29 100644
--- a/gtk/Makefile.am
+++ b/gtk/Makefile.am
@@ -376,6 +376,7 @@ spice_client_glib_usb_acl_helper_LDADD =    \
        $(GIO_LIBS)                             \
        $(POLKIT_LIBS)                          \
        $(ACL_LIBS)                             \
+       $(PIE_LDFLAGS)                          \
        $(NULL)
 
 spice_client_glib_usb_acl_helper_CPPFLAGS =    \
@@ -383,6 +384,7 @@ spice_client_glib_usb_acl_helper_CPPFLAGS = \
        $(GLIB2_CFLAGS)                         \
        $(GIO_CFLAGS)                           \
        $(POLKIT_CFLAGS)                        \
+       $(PIE_CFLAGS)                           \
        $(NULL)
 
 install-data-hook:
-- 
1.7.7.6

_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to