--- a/configure.ac +++ b/configure.ac @@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden, if test "$hardenbuild" -eq 1; then AC_MSG_NOTICE(Checking for available hardened build flags:) - # relocation flags don't make sense for static builds - if test "$STATIC" -ne 1; then - # pie - DB_TRYADDCFLAGS([-fPIE]) - - OLDLDFLAGS="$LDFLAGS" - TESTFLAGS="-Wl,-pie" - LDFLAGS="$TESTFLAGS $LDFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [ - LDFLAGS="$OLDLDFLAGS" - TESTFLAGS="-pie" - LDFLAGS="$TESTFLAGS $LDFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] - ) - ] - ) - # readonly elf relocation sections (relro) - OLDLDFLAGS="$LDFLAGS" - TESTFLAGS="-Wl,-z,now -Wl,-z,relro" - LDFLAGS="$TESTFLAGS $LDFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] - ) - fi # non-static - # stack protector. -strong is good but only in gcc 4.9 or later - OLDCFLAGS="$CFLAGS" - TESTFLAGS="-fstack-protector-strong" - CFLAGS="$TESTFLAGS $CFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [ - CFLAGS="$OLDCFLAGS" - TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" - CFLAGS="$TESTFLAGS $CFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] - ) - ] - ) - # FORTIFY_SOURCE - DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2]) - # Spectre v2 mitigations DB_TRYADDCFLAGS([-mfunction-return=thunk]) DB_TRYADDCFLAGS([-mindirect-branch=thunk])