On Fri, Jan 27, 2012 at 04:58:56PM +0100, Hans de Goede wrote: > Josh Bressers has been so kind to review the usb-acl-helper for possible > security issues. One of his recomendations was to harden the usb-acl-helper > by building it as a Position Independent Executable. > > Signed-off-by: Hans de Goede <[email protected]> > --- > configure.ac | 26 ++++++++++++++++++++++++++ > gtk/Makefile.am | 2 ++ > 2 files changed, 28 insertions(+), 0 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 2b73fc1..95819a8 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes" && test > "x$have_polkit" != "xyes"; then > AC_MSG_WARN([Building with usbredir support, but *not* building the usb > acl helper]) > fi > > +AC_ARG_ENABLE([pie], > + AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@], > + [Enable position-independent-executable support (for the > usb acl helper)@<:@default=auto@:>@]), > + [], > + [enable_pie="auto"]) > + > +if test "x$have_polkit" = "xyes" && test "x$enable_pie" != "xno"; then > + save_CFLAGS="$CFLAGS" > + save_LDFLAGS="$LDFLAGS" > + CFLAGS="$CFLAGS -fPIE" > + LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now" > + AC_MSG_CHECKING([for PIE support]) > + AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])], > + [have_pie=yes], > + [have_pie=no]) > + AC_MSG_RESULT([$have_pie]) > + if test "x$have_pie" = "xyes"; then > + PIE_CFLAGS="-fPIE" > + PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" > + AC_SUBST(PIE_CFLAGS) > + AC_SUBST(PIE_LDFLAGS)
I'd add else; if "x$enable_pie" = "xyes"; then AC_MSG_ERROR([pie requested but not supported by the C compiler]); fi otherwise yes/auto are the same. > + fi > + CFLAGS="$save_CFLAGS" > + LDFLAGS="$save_LDFLAGS" > +fi > + > AC_ARG_WITH([usb-acl-helper-dir], > AS_HELP_STRING([--with-usb-acl-helper-dir=DIR], > [Directory where the USB ACL helper binary should be > installed]), > diff --git a/gtk/Makefile.am b/gtk/Makefile.am > index a244551..a5b6e29 100644 > --- a/gtk/Makefile.am > +++ b/gtk/Makefile.am > @@ -376,6 +376,7 @@ spice_client_glib_usb_acl_helper_LDADD = \ > $(GIO_LIBS) \ > $(POLKIT_LIBS) \ > $(ACL_LIBS) \ > + $(PIE_LDFLAGS) \ > $(NULL) > > spice_client_glib_usb_acl_helper_CPPFLAGS = \ > @@ -383,6 +384,7 @@ spice_client_glib_usb_acl_helper_CPPFLAGS = \ > $(GLIB2_CFLAGS) \ > $(GIO_CFLAGS) \ > $(POLKIT_CFLAGS) \ > + $(PIE_CFLAGS) \ > $(NULL) > > install-data-hook: > -- > 1.7.7.6 > > _______________________________________________ > Spice-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/spice-devel
pgpcSR22Br2n3.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/spice-devel
