aboutsummaryrefslogtreecommitdiff
path: root/configure
diff options
context:
space:
mode:
authorFrédéric Bérat <fberat@redhat.com>2023-03-17 10:14:50 +0100
committerFrédéric Bérat <fberat@redhat.com>2023-07-05 16:59:34 +0200
commit64d9580cdf7e417170abbef0327e04b29712e949 (patch)
tree05b117ca603d615df45b6b006a98c8fe5242599b /configure
parente18c293af0ece38921ad71fbd76ff8049c3b2d67 (diff)
downloadglibc-64d9580cdf7e417170abbef0327e04b29712e949.tar
glibc-64d9580cdf7e417170abbef0327e04b29712e949.tar.gz
glibc-64d9580cdf7e417170abbef0327e04b29712e949.tar.bz2
glibc-64d9580cdf7e417170abbef0327e04b29712e949.zip
Allow glibc to be built with _FORTIFY_SOURCE
Add --enable-fortify-source option. It is now possible to enable fortification through a configure option. The level may be given as parameter, if none is provided, the configure script will determine what is the highest level possible that can be set considering GCC built-ins availability and set it. If level is explicitly set to 3, configure checks if the compiler supports the built-in function necessary for it or raise an error if it isn't. If the configure option isn't explicitly enabled, it _FORTIFY_SOURCE is forcibly undefined (and therefore disabled). The result of the configure checks are new variables, ${fortify_source} and ${no_fortify_source} that can be used to appropriately populate CFLAGS. A dedicated patch will follow to make use of this variable in Makefiles when necessary. Updated NEWS and INSTALL. Adding dedicated x86_64 variant that enables the configuration. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'configure')
-rwxr-xr-xconfigure83
1 files changed, 65 insertions, 18 deletions
diff --git a/configure b/configure
index f84040644b..1833a4ce66 100755
--- a/configure
+++ b/configure
@@ -611,7 +611,10 @@ libc_cv_gcc_unwind_find_fde
libc_extra_cppflags
libc_extra_cflags
libc_cv_cxx_thread_local
-CPPUNDEFS
+fortify_source
+no_fortify_source
+libc_cv_fortify_source
+enable_fortify_source
have_selinux
have_libcap
have_libaudit
@@ -782,6 +785,7 @@ enable_pt_chown
enable_mathvec
enable_cet
enable_scv
+enable_fortify_source
with_cpu
'
ac_precious_vars='build_alias
@@ -1452,6 +1456,10 @@ Optional Features:
(CET), x86 only
--disable-scv syscalls will not use scv instruction, even if the
kernel supports it, powerpc only
+ --enable-fortify-source[=1|2|3]
+ Use -D_FORTIFY_SOURCE=[1|2|3] to control code
+ hardening, defaults to highest possible value
+ supported by the build compiler.
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3717,6 +3725,18 @@ if test "$use_scv" != "no"; then :
fi
+# Check whether --enable-fortify-source was given.
+if test "${enable_fortify_source+set}" = set; then :
+ enableval=$enable_fortify_source; enable_fortify_source=$enableval
+else
+ enable_fortify_source=no
+fi
+
+case "$enable_fortify_source" in
+1|2|3|no|yes) ;;
+*) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;;
+esac
+
# We keep the original values in `$config_*' and never modify them, so we
# can write them unchanged into config.make. Everything else uses
# $machine, $vendor, and $os, and changes them whenever convenient.
@@ -6353,40 +6373,67 @@ $as_echo "#define HAVE_LIBCAP 1" >>confdefs.h
fi
-CPPUNDEFS=
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FORTIFY_SOURCE predefine" >&5
-$as_echo_n "checking for _FORTIFY_SOURCE predefine... " >&6; }
-if ${libc_cv_predef_fortify_source+:} false; then :
+no_fortify_source="-Wp,-U_FORTIFY_SOURCE"
+fortify_source="${no_fortify_source}"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __builtin_dynamic_object_size" >&5
+$as_echo_n "checking for __builtin_dynamic_object_size... " >&6; }
+if ${libc_cv___builtin_dynamic_object_size+:} false; then :
$as_echo_n "(cached) " >&6
else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
-
-#ifdef _FORTIFY_SOURCE
-# error bogon
-#endif
+__builtin_dynamic_object_size("", 0)
;
return 0;
}
_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
- libc_cv_predef_fortify_source=no
+if ac_fn_c_try_link "$LINENO"; then :
+ libc_cv___builtin_dynamic_object_size=yes
+ if test "$enable_fortify_source" = yes; then :
+ enable_fortify_source=3
+fi
else
- libc_cv_predef_fortify_source=yes
+ libc_cv___builtin_dynamic_object_size=no
+ if test "$enable_fortify_source" = yes; then :
+ enable_fortify_source=2
fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_predef_fortify_source" >&5
-$as_echo "$libc_cv_predef_fortify_source" >&6; }
-if test $libc_cv_predef_fortify_source = yes; then
- CPPUNDEFS="${CPPUNDEFS:+$CPPUNDEFS }-U_FORTIFY_SOURCE"
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv___builtin_dynamic_object_size" >&5
+$as_echo "$libc_cv___builtin_dynamic_object_size" >&6; }
+
+case $enable_fortify_source in #(
+ 1|2) :
+ libc_cv_fortify_source=yes ;; #(
+ 3) :
+ if test "$libc_cv___builtin_dynamic_object_size" = yes; then :
+ libc_cv_fortify_source=yes
+else
+ as_fn_error $? "Compiler doesn't provide necessary support for _FORTIFY_SOURCE=3" "$LINENO" 5
+fi ;; #(
+ *) :
+ libc_cv_fortify_source=no ;;
+esac
+
+if test "$libc_cv_fortify_source" = yes; then :
+ fortify_source="${fortify_source},-D_FORTIFY_SOURCE=${enable_fortify_source}"
+
fi
+
+
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the assembler requires one version per symbol" >&5
$as_echo_n "checking whether the assembler requires one version per symbol... " >&6; }
if ${libc_cv_symver_needs_alias+:} false; then :