waf: Build with RELRO if supported by the compiler.

Make sure we create binaries with full RELocation Read-Only support. See
https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
for more details.

The default is to check if the compiler supports RELRO and then enable
it. Specifying '--with-relro' will make it mandatory and
'--without-relro' will disable it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index aaa09392f1eb23930f04ece1b70ab4153c25e53a..caa6fb128d6dfb3ae4e49f9f6d58c389af3f116a 100644 (file)
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -348,6 +348,8 @@ def SAMBA_BINARY(bld, binname, source,
     if bld.env['ENABLE_PIE'] == True:
         pie_cflags += ' -fPIE'
         pie_ldflags.extend(TO_LIST('-pie'))
+    if bld.env['ENABLE_RELRO'] == True:
+        pie_ldflags.extend(TO_LIST('-Wl,-z,relro,-z,now'))
 
     # first create a target for building the object files for this binary
     # by separating in this way, we avoid recompiling the C files

diff --git a/wscript b/wscript
index 83c82e354087743366c675a8eba949df7badda1f..47b7b50639fda67bd8bd13ba8a7eeed55dfee330 100644 (file)
--- a/wscript
+++ b/wscript
@@ -64,6 +64,14 @@ def set_options(opt):
                   help=("Disable Position Independent Executable builds"),
                   action="store_false", dest='enable_pie')
 
+    opt.add_option('--with-relro',
+                  help=("Build with full RELocation Read-Only (RELRO)" +
+                        "(default if supported by compiler)"),
+                  action="store_true", dest='enable_relro')
+    opt.add_option('--without-relro',
+                  help=("Disable RELRO builds"),
+                  action="store_false", dest='enable_relro')
+
     gr = opt.option_group('developer options')
 
 
@@ -178,6 +186,16 @@ def configure(conf):
                          msg="Checking compiler for PIE support"):
                conf.env['ENABLE_PIE'] = True
 
+    if Options.options.enable_relro != False:
+        if Options.options.enable_relro == True:
+            need_relro = True
+        else:
+            # not specified, only build RELROs if supported by compiler
+            need_relro = False
+        if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro,
+                         msg="Checking compiler for full RELRO support"):
+            conf.env['ENABLE_RELRO'] = True
+
 def etags(ctx):
     '''build TAGS file using etags'''
     import Utils