From 0f33846367ea29d06c30a8b881675dfc2fb8892c Mon Sep 17 00:00:00 2001
From: Roland Mainz <rmainz@redhat.com>
Date: Thu, 7 May 2015 20:21:21 +0200
Subject: [PATCH] Add PIE and RELRO compiler flags for hardening

Add PIE (=position independent code) and RELRO (=read-only jump
tables and relocation addresses) compiler flags for hardening.

Fixes: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Roland Mainz <rmainz@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>
---
 proxy/Makefile.am | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/proxy/Makefile.am b/proxy/Makefile.am
index 821362502483f046c46209c16ef422d796c4b384..39674f6764da914f5d54d68672b6b1bcd4247f8f 100644
--- a/proxy/Makefile.am
+++ b/proxy/Makefile.am
@@ -31,6 +31,10 @@ pkgconfigdir = $(libdir)/pkgconfig
 gpstatedir = @gpstatedir@
 gpclidir = @gpstatedir@/clients
 
+# Flags for hardening (separated out so we can override them for testing)
+PIE_CFLAGS	= -fPIE
+RELRO_CFLAGS	= -Wl,-z,relro,-z,now
+
 AM_CFLAGS =
 if WANT_AUX_INFO
     AM_CFLAGS += -aux-info $@.X
@@ -41,7 +45,8 @@ if HAVE_GCC
     AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
                  -Wcast-qual -Wcast-align -Wwrite-strings \
                  -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-                 -Werror-implicit-function-declaration
+                 -Werror-implicit-function-declaration \
+                 $(PIE_CFLAGS) $(RELRO_CFLAGS)
 endif
 
 dist_pkgconfig_DATA =
-- 
2.4.0