[Spice-devel] [PATCH spice-gtk 3/5] configure: Add an option for building the acl helper as PIE

Hans de Goede hdegoede at redhat.com
Sat Jan 28 01:46:46 PST 2012 

Hi,

Marc-André, Christophe, thanks for the reviews!

Marc-André, Christophe reviewed my usb device selection widget patches,
but he wanted a second opinion before I push them, so could you
please take a look?

On 01/27/2012 07:08 PM, Christophe Fergeau wrote:
> On Fri, Jan 27, 2012 at 04:58:56PM +0100, Hans de Goede wrote:
>> Josh Bressers has been so kind to review the usb-acl-helper for possible
>> security issues. One of his recomendations was to harden the usb-acl-helper
>> by building it as a Position Independent Executable.
>>
>> Signed-off-by: Hans de Goede<hdegoede at redhat.com>
>> ---
>>   configure.ac    |   26 ++++++++++++++++++++++++++
>>   gtk/Makefile.am |    2 ++
>>   2 files changed, 28 insertions(+), 0 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 2b73fc1..95819a8 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -390,6 +390,32 @@ if test "x$have_usbredir" = "xyes"&&  test "x$have_polkit" != "xyes"; then
>>     AC_MSG_WARN([Building with usbredir support, but *not* building the usb acl helper])
>>   fi
>>
>> +AC_ARG_ENABLE([pie],
>> +  AS_HELP_STRING([--enable-pie=@<:@auto/yes/no@:>@],
>> +                 [Enable position-independent-executable support (for the usb acl helper)@<:@default=auto@:>@]),
>> +  [],
>> +  [enable_pie="auto"])
>> +
>> +if test "x$have_polkit" = "xyes"&&  test "x$enable_pie" != "xno"; then
>> +   save_CFLAGS="$CFLAGS"
>> +   save_LDFLAGS="$LDFLAGS"
>> +   CFLAGS="$CFLAGS -fPIE"
>> +   LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now"
>> +   AC_MSG_CHECKING([for PIE support])
>> +   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])],
>> +                  [have_pie=yes],
>> +                  [have_pie=no])
>> +   AC_MSG_RESULT([$have_pie])
>> +   if test "x$have_pie" = "xyes"; then
>> +       PIE_CFLAGS="-fPIE"
>> +       PIE_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
>> +       AC_SUBST(PIE_CFLAGS)
>> +       AC_SUBST(PIE_LDFLAGS)
>
> I'd add
> else; if "x$enable_pie" = "xyes"; then AC_MSG_ERROR([pie requested but not
> supported by the C compiler]); fi
>
> otherwise yes/auto are the same.
>

Ah yes I already noticed that myself and I was planning on fixing it, but didn't.
I've fixed this before pushing.

Thanks & Regards,

Hans

More information about the Spice-devel mailing list