diff options
| author | Avi Kivity <avi@redhat.com> | 2011-11-15 20:12:17 +0200 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-11-21 15:05:59 -0600 |
| commit | 40d6444e91c6ab17e5e8ab01d4eece90cbc4afed (patch) | |
| tree | 12bdf76893cd40f7c552a8a27348164bc788f4f9 | |
| parent | ff51a738cf487811a7890d5292c38bc30eb54e45 (diff) | |
| download | qemu-40d6444e91c6ab17e5e8ab01d4eece90cbc4afed.tar.gz | |
configure: build position independent executables on x86-Linux hosts
Change the default on x86 Linux hosts to building PIE (position
independent executables); instead of restricting the option to
user-only targets, apply it to all targets.
In addition, set the relocation sections to read-only (relro) when
available; this reduces the attack surface by disallowing changes to
relocation tables at runtime.
While PIE reduces performance and relro increases load time, it
greatly improves security, with the potential to reduce a code
execution vulnerability to a self denial of service.
Non-x86 are not changed, as they require TCG changes; neither are
non-Linux, due to lack of test coverage.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
| -rwxr-xr-x | configure | 65 |
1 files changed, 47 insertions, 18 deletions
@@ -172,7 +172,7 @@ aix="no" blobs="yes" pkgversion="" check_utests="" -user_pie="no" +pie="" zero_malloc="" trace_backend="nop" trace_file="trace" @@ -701,9 +701,9 @@ for opt do ;; --disable-guest-base) guest_base="no" ;; - --enable-user-pie) user_pie="yes" + --enable-pie) pie="yes" ;; - --disable-user-pie) user_pie="no" + --disable-pie) pie="no" ;; --enable-uname-release=*) uname_release="$optarg" ;; @@ -1031,8 +1031,8 @@ echo " --disable-bsd-user disable all BSD usermode emulation targets" echo " --enable-guest-base enable GUEST_BASE support for usermode" echo " emulation targets" echo " --disable-guest-base disable GUEST_BASE support" -echo " --enable-user-pie build usermode emulation targets as PIE" -echo " --disable-user-pie do not build usermode emulation targets as PIE" +echo " --enable-pie build Position Independent Executables" +echo " --disable-pie do not build Position Independent Executables" echo " --fmod-lib path to FMOD library" echo " --fmod-inc path to FMOD includes" echo " --oss-lib path to OSS library" @@ -1099,6 +1099,47 @@ for flag in $gcc_flags; do fi done +if test "$static" = "yes" ; then + if test "$pie" = "yes" ; then + echo "static and pie are mutually incompatible" + exit 1 + else + pie="no" + fi +fi + +if test "$pie" = ""; then + case "$cpu-$targetos" in + i386-Linux|x86_64-Linux) + ;; + *) + pie="no" + ;; + esac +fi + +if test "$pie" != "no" ; then + cat > $TMPC << EOF +int main(void) { return 0; } +EOF + if compile_prog "-fPIE -DPIE" "-pie"; then + QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS" + LDFLAGS="-pie $LDFLAGS" + pie="yes" + if compile_prog "" "-Wl,-z,relro -Wl,-z,now" ; then + LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS" + fi + else + if test "$pie" = "yes"; then + echo "PIE not available due to missing toolchain support" + exit 1 + else + echo "Disabling PIE due to missing toolchain support" + pie="no" + fi + fi +fi + # # Solaris specific configure tool chain decisions # @@ -2765,7 +2806,7 @@ echo "Documentation $docs" echo "uname -r $uname_release" echo "NPTL support $nptl" echo "GUEST_BASE $guest_base" -echo "PIE user targets $user_pie" +echo "PIE $pie" echo "vde support $vde" echo "Linux AIO support $linux_aio" echo "ATTR/XATTR support $attr" @@ -3225,9 +3266,6 @@ for d in libdis libdis-user; do symlink $source_path/Makefile.dis $d/Makefile echo > $d/config.mak done -if test "$static" = "no" -a "$user_pie" = "yes" ; then - echo "QEMU_CFLAGS+=-fpie" > libdis-user/config.mak -fi for target in $target_list; do target_dir="$target" @@ -3646,12 +3684,6 @@ if test "$target_softmmu" = "yes" ; then esac fi -if test "$target_user_only" = "yes" -a "$static" = "no" -a \ - "$user_pie" = "yes" ; then - cflags="-fpie $cflags" - ldflags="-pie $ldflags" -fi - if test "$target_softmmu" = "yes" -a \( \ "$TARGET_ARCH" = "microblaze" -o \ "$TARGET_ARCH" = "cris" \) ; then @@ -3775,9 +3807,6 @@ d=libuser mkdir -p $d mkdir -p $d/trace symlink $source_path/Makefile.user $d/Makefile -if test "$static" = "no" -a "$user_pie" = "yes" ; then - echo "QEMU_CFLAGS+=-fpie" > $d/config.mak -fi if test "$docs" = "yes" ; then mkdir -p QMP |