add hardening flags - libextractor

commit 150ca6a82afd79aa427154710b37af3013f04dfc
parent 5ca4e2662113cb70fbcf40fc96d51f320d5d86fe
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sun,  5 Aug 2012 23:27:15 +0000

add hardening flags

Diffstat:
M configure.ac  | 21 +++++++++++++++++++++

1 file changed, 21 insertions(+), 0 deletions(-)
diff --git a/configure.ac b/configure.ac
@@ -207,6 +207,27 @@ fi
 AM_CONDITIONAL(HAVE_CXX, test "x$HAVE_CXX" = "xyes")
 
 
+# Adam shostack suggests the following for Windows:
+# -D_FORTIFY_SOURCE=2 -fstack-protector-all
+AC_ARG_ENABLE(gcc-hardening,
+   AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
+[if test x$enableval = xyes; then
+    CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
+    CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
+    CFLAGS="$CFLAGS --param ssp-buffer-size=1"
+    LDFLAGS="$LDFLAGS -pie"
+fi])
+
+
+# Linker hardening options
+# Currently these options are ELF specific - you can't use this with MacOSX
+AC_ARG_ENABLE(linker-hardening,
+  AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
+[if test x$enableval = xyes; then
+   LDFLAGS="$LDFLAGS -z relro -z now"
+fi])
+
+
 # Checks for libraries.
 
 # Redhat 9, gcc 3.2, libextractor_pdf barfs if we don't check for this

	libextractor GNU libextractor
	Log \| Files \| Refs \| Submodules \| README \| LICENSE