summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2013-07-05 08:13:56 +0200
committerJeremy Allison <jra@samba.org>2013-07-09 13:00:37 -0700
commit191e6b9441d6789ecc16a3a80eb36ec5b410c083 (patch)
treed0c98fb7f4bf4a7c032861c5089c3371a5f37e27
parentaef8aad638b916026651d900b91e963897b31c1a (diff)
downloadsamba-191e6b9441d6789ecc16a3a80eb36ec5b410c083.tar.gz
samba-191e6b9441d6789ecc16a3a80eb36ec5b410c083.tar.bz2
samba-191e6b9441d6789ecc16a3a80eb36ec5b410c083.zip
waf: Build with RELRO if supported by the compiler.
Make sure we create binaries with full RELocation Read-Only support. See https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ for more details. The default is to check if the compiler supports RELRO and then enable it. Specifying '--with-relro' will make it mandatory and '--without-relro' will disable it. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
-rw-r--r--buildtools/wafsamba/wafsamba.py2
-rw-r--r--wscript18
2 files changed, 20 insertions, 0 deletions
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index aaa09392f1..caa6fb128d 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -348,6 +348,8 @@ def SAMBA_BINARY(bld, binname, source,
if bld.env['ENABLE_PIE'] == True:
pie_cflags += ' -fPIE'
pie_ldflags.extend(TO_LIST('-pie'))
+ if bld.env['ENABLE_RELRO'] == True:
+ pie_ldflags.extend(TO_LIST('-Wl,-z,relro,-z,now'))
# first create a target for building the object files for this binary
# by separating in this way, we avoid recompiling the C files
diff --git a/wscript b/wscript
index 83c82e3540..47b7b50639 100644
--- a/wscript
+++ b/wscript
@@ -64,6 +64,14 @@ def set_options(opt):
help=("Disable Position Independent Executable builds"),
action="store_false", dest='enable_pie')
+ opt.add_option('--with-relro',
+ help=("Build with full RELocation Read-Only (RELRO)" +
+ "(default if supported by compiler)"),
+ action="store_true", dest='enable_relro')
+ opt.add_option('--without-relro',
+ help=("Disable RELRO builds"),
+ action="store_false", dest='enable_relro')
+
gr = opt.option_group('developer options')
@@ -178,6 +186,16 @@ def configure(conf):
msg="Checking compiler for PIE support"):
conf.env['ENABLE_PIE'] = True
+ if Options.options.enable_relro != False:
+ if Options.options.enable_relro == True:
+ need_relro = True
+ else:
+ # not specified, only build RELROs if supported by compiler
+ need_relro = False
+ if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro,
+ msg="Checking compiler for full RELRO support"):
+ conf.env['ENABLE_RELRO'] = True
+
def etags(ctx):
'''build TAGS file using etags'''
import Utils