From 191e6b9441d6789ecc16a3a80eb36ec5b410c083 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Jul 2013 08:13:56 +0200 Subject: waf: Build with RELRO if supported by the compiler. Make sure we create binaries with full RELocation Read-Only support. See https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ for more details. The default is to check if the compiler supports RELRO and then enable it. Specifying '--with-relro' will make it mandatory and '--without-relro' will disable it. Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison --- buildtools/wafsamba/wafsamba.py | 2 ++ wscript | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index aaa09392f1..caa6fb128d 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -348,6 +348,8 @@ def SAMBA_BINARY(bld, binname, source, if bld.env['ENABLE_PIE'] == True: pie_cflags += ' -fPIE' pie_ldflags.extend(TO_LIST('-pie')) + if bld.env['ENABLE_RELRO'] == True: + pie_ldflags.extend(TO_LIST('-Wl,-z,relro,-z,now')) # first create a target for building the object files for this binary # by separating in this way, we avoid recompiling the C files diff --git a/wscript b/wscript index 83c82e3540..47b7b50639 100644 --- a/wscript +++ b/wscript @@ -64,6 +64,14 @@ def set_options(opt): help=("Disable Position Independent Executable builds"), action="store_false", dest='enable_pie') + opt.add_option('--with-relro', + help=("Build with full RELocation Read-Only (RELRO)" + + "(default if supported by compiler)"), + action="store_true", dest='enable_relro') + opt.add_option('--without-relro', + help=("Disable RELRO builds"), + action="store_false", dest='enable_relro') + gr = opt.option_group('developer options') @@ -178,6 +186,16 @@ def configure(conf): msg="Checking compiler for PIE support"): conf.env['ENABLE_PIE'] = True + if Options.options.enable_relro != False: + if Options.options.enable_relro == True: + need_relro = True + else: + # not specified, only build RELROs if supported by compiler + need_relro = False + if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro, + msg="Checking compiler for full RELRO support"): + conf.env['ENABLE_RELRO'] = True + def etags(ctx): '''build TAGS file using etags''' import Utils -- cgit