Enable use of Relocations Read-Only, if supported, for enhanced security.

(This used to be commit c20c5f082162ff6c0c2931f456897334aa002e83)

diff --git a/source3/Makefile.in b/source3/Makefile.in
index ac33a11a1efd8319091b5a5b5b6b40b0799f8410..376d24ca2f196953f8d009245f0006f98acd550f 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -43,8 +43,8 @@ CPPFLAGS=-DHAVE_CONFIG_H @CPPFLAGS@
 
 EXEEXT=@EXEEXT@
 AR=@AR@
-LDSHFLAGS=@LDSHFLAGS@ @LDFLAGS@
-LDFLAGS=@PIE_LDFLAGS@ @LDFLAGS@
+LDSHFLAGS=@LDSHFLAGS@ @RELRO_LDFLAGS@ @LDFLAGS@
+LDFLAGS=@PIE_LDFLAGS@ @RELRO_LDFLAGS@ @LDFLAGS@
 
 WINBIND_NSS_LDSHFLAGS=@WINBIND_NSS_LDSHFLAGS@ @LDFLAGS@
 AWK=@AWK@

diff --git a/source3/configure.in b/source3/configure.in
index 056c0f80495486bc9944ae9f838caafd4b6a8d34..f884d9344ad6cde8e2925f9a7a765232f53ab649 100644 (file)
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -73,6 +73,7 @@ AC_SUBST(HOST_OS)
 AC_SUBST(PICFLAG)
 AC_SUBST(PIE_CFLAGS)
 AC_SUBST(PIE_LDFLAGS)
+AC_SUBST(RELRO_LDFLAGS)
 AC_SUBST(SHLIBEXT)
 AC_SUBST(INSTALLLIBCMD_SH)
 AC_SUBST(INSTALLLIBCMD_A)
@@ -1513,6 +1514,32 @@ EOF
        fi
 fi
 
+# Set defaults
+RELRO_LDFLAGS=""
+AC_ARG_ENABLE(relro, [AS_HELP_STRING([--enable-relro], [Turn on Relocations Read-Only (relro) support if available (default=yes)])])
+
+if test "x$enable_relro" != xno
+then
+       AC_CACHE_CHECK([for -Wl,-z,relro], samba_cv_relro,
+       [
+               cat > conftest.c <<EOF
+int foo;
+main () { return 0;}
+EOF
+               if AC_TRY_COMMAND([${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS -Wl,-z,relro -o conftest conftest.c 1>&AS_MESSAGE_LOG_FD])
+               then
+                       samba_cv_relro=yes
+               else
+                       samba_cv_relro=no
+               fi
+               rm -f conftest*
+       ])
+       if test x"${samba_cv_relro}" = x"yes"
+       then
+               RELRO_LDFLAGS="-Wl,-z,relro"
+       fi
+fi
+
 # Assume non-shared by default and override below
 BLDSHARED="false"