From 4ac6451491e8d4dfc4e371eee4c162b297283c0a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 6 Sep 2016 22:38:57 +0000
Subject: Add configure option for build hardening

Ticket: https://fedorahosted.org/gss-proxy/ticket/147

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Merges #30
---
 proxy/Makefile.am    | 14 ++++++++++++--
 proxy/conf_macros.m4 | 11 +++++++++++
 proxy/configure.ac   |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/proxy/Makefile.am b/proxy/Makefile.am
index f03f3ea..4359938 100644
--- a/proxy/Makefile.am
+++ b/proxy/Makefile.am
@@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig
 gpstatedir = @gpstatedir@
 gpclidir = @gpstatedir@/clients
 
+AM_CPPFLAGS =
 AM_CFLAGS =
+AM_LDFLAGS =
 if WANT_AUX_INFO
     AM_CFLAGS += -aux-info $@.X
 endif
@@ -41,7 +43,15 @@ if HAVE_GCC
     AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
                  -Wcast-qual -Wcast-align -Wwrite-strings \
                  -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-                 -Werror-implicit-function-declaration
+                 -Werror-implicit-function-declaration \
+                 -Werror=format-security
+
+    AM_CPPFLAGS += -Wdate-time
+endif
+if BUILD_HARDENING
+    AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
+    AM_CFLAGS += -fPIE -fstack-protector-strong
+    AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
 endif
 
 dist_pkgconfig_DATA =
@@ -65,7 +75,7 @@ dist_noinst_DATA =
 # Global compilation settings #
 ###############################
 
-AM_CPPFLAGS = \
+AM_CPPFLAGS += \
     -Wall \
     -Iinclude \
     -I.. \
diff --git a/proxy/conf_macros.m4 b/proxy/conf_macros.m4
index a0ecb13..b35eae1 100644
--- a/proxy/conf_macros.m4
+++ b/proxy/conf_macros.m4
@@ -281,3 +281,14 @@ AC_DEFUN([WITH_GPP_DEFAULT_BEHAVIOR],
     AC_DEFINE_UNQUOTED(GPP_DEFAULT_BEHAVIOR, $default_behavior, [Default gssproxy interposer plugin behavior])
   ])
 
+AC_DEFUN([WITH_HARDENING],
+  [ AC_ARG_WITH([hardening],
+                [AC_HELP_STRING([--with-hardening],
+                                [Whether to add extra hardening flags [no]]
+                               )
+                ],
+                [],
+                with_hardening=no
+               )
+    AM_CONDITIONAL([BUILD_HARDENING], [test x"$with_hardening" = xyes])
+  ])
diff --git a/proxy/configure.ac b/proxy/configure.ac
index 409584d..c75515e 100644
--- a/proxy/configure.ac
+++ b/proxy/configure.ac
@@ -68,6 +68,7 @@ WITH_SELINUX
 WITH_GSSIDEBUG
 WITH_GPSTATE_PATH
 WITH_GPP_DEFAULT_BEHAVIOR
+WITH_HARDENING
 
 m4_include([external/pkg.m4])
 m4_include([external/libpopt.m4])
-- 
cgit