[Spice-devel] [PATCH spice-gtk 3/5] configure: Add an option for building the acl helper as PIE

Christophe Fergeau cfergeau at redhat.com
Fri Jan 27 10:08:49 PST 2012 

On Fri, Jan 27, 2012 at 04:58:56PM +0100, Hans de Goede wrote:
> Josh Bressers has been so kind to review the usb-acl-helper for possible
> security issues. One of his recomendations was to harden the usb-acl-helper
> by building it as a Position Independent Executable.
> 
> Signed-off-by: Hans de Goede <hdegoede at redhat.com>
> ---
>  configure.ac    |   26 ++++++++++++++++++++++++++
>  gtk/Makefile.am |    2 ++
>  2 files changed, 28 insertions(+), 0 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 2b73fc1..95819a8 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes" && test "x$have_polkit" != "xyes"; then
>    AC_MSG_WARN([Building with usbredir support, but *not* building the usb acl helper])
>  fi
>  
> +AC_ARG_ENABLE([pie],
> +  AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@],
> +                 [Enable position-independent-executable support (for the usb acl helper)@<:@default=auto@:>@]),
> +  [],
> +  [enable_pie="auto"])
> +
> +if test "x$have_polkit" = "xyes" && test "x$enable_pie" != "xno"; then
> +   save_CFLAGS="$CFLAGS"
> +   save_LDFLAGS="$LDFLAGS"
> +   CFLAGS="$CFLAGS -fPIE"
> +   LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
> +   AC_MSG_CHECKING([for PIE support])
> +   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])],
> +                  [have_pie=yes],
> +                  [have_pie=no])
> +   AC_MSG_RESULT([$have_pie])
> +   if test "x$have_pie" = "xyes"; then
> +       PIE_CFLAGS="-fPIE"
> +       PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
> +       AC_SUBST(PIE_CFLAGS)
> +       AC_SUBST(PIE_LDFLAGS)

I'd add
else; if "x$enable_pie" = "xyes"; then AC_MSG_ERROR([pie requested but not
supported by the C compiler]); fi

otherwise yes/auto are the same.

> +   fi
> +   CFLAGS="$save_CFLAGS"
> +   LDFLAGS="$save_LDFLAGS"
> +fi
> +
>  AC_ARG_WITH([usb-acl-helper-dir],
>    AS_HELP_STRING([--with-usb-acl-helper-dir=DIR],
>                   [Directory where the USB ACL helper binary should be installed]),
> diff --git a/gtk/Makefile.am b/gtk/Makefile.am
> index a244551..a5b6e29 100644
> --- a/gtk/Makefile.am
> +++ b/gtk/Makefile.am
> @@ -376,6 +376,7 @@ spice_client_glib_usb_acl_helper_LDADD =	\
>  	$(GIO_LIBS)				\
>  	$(POLKIT_LIBS)				\
>  	$(ACL_LIBS)				\
> +	$(PIE_LDFLAGS)				\
>  	$(NULL)
>  
>  spice_client_glib_usb_acl_helper_CPPFLAGS =	\
> @@ -383,6 +384,7 @@ spice_client_glib_usb_acl_helper_CPPFLAGS =	\
>  	$(GLIB2_CFLAGS)				\
>  	$(GIO_CFLAGS)				\
>  	$(POLKIT_CFLAGS)			\
> +	$(PIE_CFLAGS)				\
>  	$(NULL)
>  
>  install-data-hook:
> -- 
> 1.7.7.6
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20120127/957931de/attachment.pgp>

More information about the Spice-devel mailing list