Enable use of Relocations Read-Only, if supported, for enhanced security.

(This used to be commit c20c5f082162ff6c0c2931f456897334aa002e83)

2 files changed, 29 insertions, 2 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index ac33a11a1e..376d24ca2f 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -43,8 +43,8 @@ CPPFLAGS=-DHAVE_CONFIG_H @CPPFLAGS@
 
 EXEEXT=@EXEEXT@
 AR=@AR@
-LDSHFLAGS=@LDSHFLAGS@ @LDFLAGS@
-LDFLAGS=@PIE_LDFLAGS@ @LDFLAGS@
+LDSHFLAGS=@LDSHFLAGS@ @RELRO_LDFLAGS@ @LDFLAGS@
+LDFLAGS=@PIE_LDFLAGS@ @RELRO_LDFLAGS@ @LDFLAGS@
 
 WINBIND_NSS_LDSHFLAGS=@WINBIND_NSS_LDSHFLAGS@ @LDFLAGS@
 AWK=@AWK@
diff --git a/source3/configure.in b/source3/configure.in
index 056c0f8049..f884d9344a 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -73,6 +73,7 @@ AC_SUBST(HOST_OS)
 AC_SUBST(PICFLAG)
 AC_SUBST(PIE_CFLAGS)
 AC_SUBST(PIE_LDFLAGS)
+AC_SUBST(RELRO_LDFLAGS)
 AC_SUBST(SHLIBEXT)
 AC_SUBST(INSTALLLIBCMD_SH)
 AC_SUBST(INSTALLLIBCMD_A)
@@ -1513,6 +1514,32 @@ EOF
 	fi
 fi
 
+# Set defaults
+RELRO_LDFLAGS=""
+AC_ARG_ENABLE(relro, [AS_HELP_STRING([--enable-relro], [Turn on Relocations Read-Only (relro) support if available (default=yes)])])
+
+if test "x$enable_relro" != xno
+then
+	AC_CACHE_CHECK([for -Wl,-z,relro], samba_cv_relro,
+	[
+		cat > conftest.c <<EOF
+int foo;
+main () { return 0;}
+EOF
+		if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -Wl,-z,relro -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
+		then
+			samba_cv_relro=yes
+		else
+			samba_cv_relro=no
+		fi
+		rm -f conftest*
+	])
+	if test x"${samba_cv_relro}" = x"yes"
+	then
+		RELRO_LDFLAGS="-Wl,-z,relro"
+	fi
+fi
+
 # Assume non-shared by default and override below
 BLDSHARED="false"