[Spice-devel] [PATCH spice-gtk 3/5] configure: Add an option for building the acl helper as PIE

Hans de Goede hdegoede at redhat.com
Fri Jan 27 07:58:56 PST 2012 

Josh Bressers has been so kind to review the usb-acl-helper for possible
security issues. One of his recomendations was to harden the usb-acl-helper
by building it as a Position Independent Executable.

Signed-off-by: Hans de Goede <hdegoede at redhat.com>
---
 configure.ac    |   26 ++++++++++++++++++++++++++
 gtk/Makefile.am |    2 ++
 2 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2b73fc1..95819a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes" && test "x$have_polkit" != "xyes"; then
   AC_MSG_WARN([Building with usbredir support, but *not* building the usb acl helper])
 fi
 
+AC_ARG_ENABLE([pie],
+  AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@],
+                 [Enable position-independent-executable support (for the usb acl helper)@<:@default=auto@:>@]),
+  [],
+  [enable_pie="auto"])
+
+if test "x$have_polkit" = "xyes" && test "x$enable_pie" != "xno"; then
+   save_CFLAGS="$CFLAGS"
+   save_LDFLAGS="$LDFLAGS"
+   CFLAGS="$CFLAGS -fPIE"
+   LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
+   AC_MSG_CHECKING([for PIE support])
+   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])],
+                  [have_pie=yes],
+                  [have_pie=no])
+   AC_MSG_RESULT([$have_pie])
+   if test "x$have_pie" = "xyes"; then
+       PIE_CFLAGS="-fPIE"
+       PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+       AC_SUBST(PIE_CFLAGS)
+       AC_SUBST(PIE_LDFLAGS)
+   fi
+   CFLAGS="$save_CFLAGS"
+   LDFLAGS="$save_LDFLAGS"
+fi
+
 AC_ARG_WITH([usb-acl-helper-dir],
   AS_HELP_STRING([--with-usb-acl-helper-dir=DIR],
                  [Directory where the USB ACL helper binary should be installed]),
diff --git a/gtk/Makefile.am b/gtk/Makefile.am
index a244551..a5b6e29 100644
--- a/gtk/Makefile.am
+++ b/gtk/Makefile.am
@@ -376,6 +376,7 @@ spice_client_glib_usb_acl_helper_LDADD =	\
 	$(GIO_LIBS)				\
 	$(POLKIT_LIBS)				\
 	$(ACL_LIBS)				\
+	$(PIE_LDFLAGS)				\
 	$(NULL)
 
 spice_client_glib_usb_acl_helper_CPPFLAGS =	\
@@ -383,6 +384,7 @@ spice_client_glib_usb_acl_helper_CPPFLAGS =	\
 	$(GLIB2_CFLAGS)				\
 	$(GIO_CFLAGS)				\
 	$(POLKIT_CFLAGS)			\
+	$(PIE_CFLAGS)				\
 	$(NULL)
 
 install-data-hook:
-- 
1.7.7.6

More information about the Spice-devel mailing list