You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by mp...@apache.org on 2016/12/21 03:08:15 UTC
[3/3] mesos git commit: Added hardening compilation flags for stout.
Added hardening compilation flags for stout.
Take compile flag macro at `391cb680171d3889965b1ead43d3a326c913bc25`.
The macro at `1a869696e4129279f7b99c3f9052717354b79a86` requires
autoconf 2.64 which breaks on CentOS 6.
Review: https://reviews.apache.org/r/52696/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/d32cabd0
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/d32cabd0
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/d32cabd0
Branch: refs/heads/master
Commit: d32cabd0c24ba6f8ddc74b0e3ac5b4278d8373bc
Parents: 982ae88
Author: Aaron Wood <aa...@verizon.com>
Authored: Fri Dec 16 15:48:14 2016 -0800
Committer: Michael Park <mp...@apache.org>
Committed: Tue Dec 20 18:55:32 2016 -0500
----------------------------------------------------------------------
3rdparty/stout/Makefile.am | 18 ++++++
3rdparty/stout/configure.ac | 15 +++++
3rdparty/stout/m4/ax_check_compile_flag.m4 | 74 +++++++++++++++++++++++++
3 files changed, 107 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/d32cabd0/3rdparty/stout/Makefile.am
----------------------------------------------------------------------
diff --git a/3rdparty/stout/Makefile.am b/3rdparty/stout/Makefile.am
index e043412..2d27da7 100644
--- a/3rdparty/stout/Makefile.am
+++ b/3rdparty/stout/Makefile.am
@@ -12,6 +12,24 @@
# Makefile for stout.
+# Enable common (and some language specific) warnings.
+AM_CXXFLAGS = -Wall
+# Warn when a comparison is made between signed and unsigned values.
+AM_CXXFLAGS += -Wsign-compare
+# Warn about use of format functions that can produce security issues.
+AM_CXXFLAGS += -Wformat-security
+
+# We will also have much more hardened/secured binaries and libraries.
+if ENABLE_HARDENING
+# Protect many of the functions with stack guards
+# (either -fstack-protector-strong or -fstack-protector depending on compiler support).
+AM_CXXFLAGS += @STACK_PROTECTOR@
+# Better protect against potential buffer overflow attacks.
+AM_CXXFLAGS += -D_FORTIFY_SOURCE=2
+# Produce position independent code when appropriate.
+AM_CXXFLAGS += -fPIC -fPIE
+endif
+
AUTOMAKE_OPTIONS = foreign
if STANDALONE_STOUT
http://git-wip-us.apache.org/repos/asf/mesos/blob/d32cabd0/3rdparty/stout/configure.ac
----------------------------------------------------------------------
diff --git a/3rdparty/stout/configure.ac b/3rdparty/stout/configure.ac
index 1f1391b..cac1457 100644
--- a/3rdparty/stout/configure.ac
+++ b/3rdparty/stout/configure.ac
@@ -68,6 +68,12 @@ AC_CONFIG_FILES([3rdparty/gmock_sources.cc])
# Optional features.
###############################################################################
+AC_ARG_ENABLE([hardening],
+ AS_HELP_STRING([--disable-hardening],
+ [disables security measures such as stack
+ protection and position independent library code]),
+ [], [enable_hardening=yes])
+
AC_ARG_ENABLE([bundled],
AS_HELP_STRING([--disable-bundled],
[build against preinstalled dependencies instead
@@ -581,6 +587,9 @@ libsubversion-1 is required for stout tests to build.
# Compiler checks.
###############################################################################
+# Check to see if we should harden or not.
+AM_CONDITIONAL([ENABLE_HARDENING], [test x"$enable_hardening" = "xyes"])
+
AS_CASE($ax_cv_cxx_compiler_vendor,
[clang], [
# Check if -Wno-unused-local-typedef is needed by checking a sample
@@ -628,6 +637,12 @@ AS_CASE($ax_cv_cxx_compiler_vendor,
]
)
+# If our compiler supports strong stack protection, use it.
+# If not, use a lesser form of stack protection.
+AX_CHECK_COMPILE_FLAG([-fstack-protector-strong],
+ [AC_SUBST(STACK_PROTECTOR, "-fstack-protector-strong")],
+ [AC_SUBST(STACK_PROTECTOR, "-fstack-protector")])
+
# Ensure that the build environment supports C++11 (with "strict" conformance),
# and set "--std=" flag and CXXFLAGS environment variable as appropriate.
AX_CXX_COMPILE_STDCXX([11], [noext], [mandatory])
http://git-wip-us.apache.org/repos/asf/mesos/blob/d32cabd0/3rdparty/stout/m4/ax_check_compile_flag.m4
----------------------------------------------------------------------
diff --git a/3rdparty/stout/m4/ax_check_compile_flag.m4 b/3rdparty/stout/m4/ax_check_compile_flag.m4
new file mode 100644
index 0000000..51df0c0
--- /dev/null
+++ b/3rdparty/stout/m4/ax_check_compile_flag.m4
@@ -0,0 +1,74 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the current language's compiler
+# or gives an error. (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# INPUT gives an alternative input source to AC_COMPILE_IFELSE.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <gu...@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mk...@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 3
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+ AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS