configure: Implement --enable-host-pie

This patch implements the --enable-host-pie configure option which makes the compiler executables PIE. This can be used to enhance protection against ROP attacks, and can be viewed as part of a wider trend to harden binaries. Co-Authored by: Iain Sandoe <iain@sandoe.co.uk> * configure.ac (--enable-host-pie): New check. Set PICFLAG after this check. intl/ * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. libdecnumber/ * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. zlib/ * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check.
2024-11-23 01:53:38 +08:00 · 2023-08-07 13:07:12 +02:00 · 2023-08-07 13:07:12 +02:00 · 60b42421e9
commit 60b42421e9
parent 947edb094e
4 changed files with 97 additions and 7 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1987,6 +1987,28 @@ AC_ARG_ENABLE(linker-plugin-flags,
  extra_linker_plugin_flags=)
 AC_SUBST(extra_linker_plugin_flags)

+# Enable --enable-host-pie.
+# Checked early to determine whether jit is an 'all' language
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build position independent host executables])],
+[host_pie=$enableval
+ case $host in
+   x86_64-*-darwin* | aarch64-*-darwin*)
+     if test x$host_pie != xyes ; then
+       # PIC is the default, and actually cannot be switched off.
+       echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
+       host_pie=yes
+     fi ;;
+  *) ;;
+ esac],
+[case $host in
+  *-*-darwin2*) host_pie=yes ;;
+  *) host_pie=no ;;
+ esac])
+
+AC_SUBST(host_pie)
+
 # Enable --enable-host-shared.
 # Checked early to determine whether jit is an 'all' language
 AC_ARG_ENABLE(host-shared,
@ -2000,20 +2022,37 @@ AC_ARG_ENABLE(host-shared,
       echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
       host_shared=yes
     fi ;;
+   *-*-darwin*)
+     if test x$host_pie == xyes ; then
+       echo configure.ac: warning: PIC code is required for PIE executables. 1>&2
+       host_shared=yes
+     fi ;;
  *) ;;
 esac],
 [case $host in
  x86_64-*-darwin* | aarch64-*-darwin*) host_shared=yes ;;
-  *) host_shared=no ;;
+  # Darwin needs PIC objects to link PIE executables.
+  *-*-darwin*) host_shared=host_pie ;;
+  *) host_shared=no;;
 esac])

 AC_SUBST(host_shared)

+if test x$host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
+AC_SUBST(PICFLAG)
+
 # If we are building PIC/PIE host executables, and we are building dependent
 # libs (e.g. GMP) in-tree those libs need to be configured to generate PIC
 # code.
 host_libs_picflag=
-if test "$host_shared" = "yes";then
+if test "$host_shared" = "yes" -o "$host_pie" = "yes"; then
 host_libs_picflag='--with-pic'
 fi
 AC_SUBST(host_libs_picflag)
--- a/intl/configure.ac
+++ b/intl/configure.ac
@ -73,5 +73,26 @@ fi
 AC_SUBST(BISON3_YES)
 AC_SUBST(BISON3_NO)

+# Enable --enable-host-shared.
+AC_ARG_ENABLE(host-shared,
+[AS_HELP_STRING([--enable-host-shared],
+       [build host code as shared libraries])])
+AC_SUBST(enable_host_shared)
+
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+       [build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+AC_SUBST(PICFLAG)
+
 AC_CONFIG_FILES(Makefile config.intl)
 AC_OUTPUT
--- a/libdecnumber/configure.ac
+++ b/libdecnumber/configure.ac
@ -99,8 +99,23 @@ AC_C_BIGENDIAN
 # Enable --enable-host-shared.
 AC_ARG_ENABLE(host-shared,
 [AS_HELP_STRING([--enable-host-shared],
-		[build host code as shared libraries])],
-[PICFLAG=-fPIC], [PICFLAG=])
+		[build host code as shared libraries])])
+AC_SUBST(enable_host_shared)
+
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
 AC_SUBST(PICFLAG)

 # Output.
--- a/zlib/configure.ac
+++ b/zlib/configure.ac
@ -121,11 +121,26 @@ else
  multilib_arg=
 fi

+# Enable --enable-host-shared.
 AC_ARG_ENABLE(host-shared,
 [AS_HELP_STRING([--enable-host-shared],
-		[build host code as shared libraries])],
-[PICFLAG=-fPIC], [PICFLAG=])
-AC_SUBST(PICFLAG)
+		[build host code as shared libraries])])
+AC_SUBST(enable_host_shared)

+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
+AC_SUBST(PICFLAG)
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT