[Oisf-devel] [PATCH] Add relro flags to libhtp
Victor Julien
victor at inliniac.net
Thu Dec 15 16:10:23 UTC 2011
On 12/15/2011 04:50 PM, Steve Grubb wrote:
> Hello,
>
> The main suricata program can detect and use relro/bind now linker flags. But
> the directive is per linked object. This means that while the app has
> protection, its code segment containing libhtp does not. The patch below passes
> the configure option to libhtp and let's it make use of the compiler's
> security protection.
Applied, thanks Steve. I'll forward your mail to the upstream libhtp
project as well.
Cheers,
Victor
>
> Signed-off-by: Steve Grubb <sgrubb at redhat.com>
> ---
>
> diff -ur suricata.orig/libhtp/configure.ac suricata/libhtp/configure.ac
> --- suricata.orig/libhtp/configure.ac 2011-11-02 08:30:35.000000000 -0400
> +++ suricata/libhtp/configure.ac 2011-12-15 10:39:06.000000000 -0500
> @@ -70,7 +70,6 @@
> AM_PROG_LIBTOOL
> AM_SANITY_CHECK
>
> -
> dnl -----------------------------------------------
> dnl Checks for libs.
> dnl -----------------------------------------------
> @@ -84,6 +83,30 @@
> exit 1
> fi
>
> +dnl -----------------------------------------------
> +dnl provides a read-only relocation table area in the final ELF
> +dnl -----------------------------------------------
> +AC_MSG_CHECKING(for -z relro)
> +TMPLDFLAGS="${LDFLAGS}"
> +LDFLAGS="${LDFLAGS} -z relro"
> +AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z relro"
> +AC_MSG_RESULT(yes),
> +AC_MSG_RESULT(no))
> +LDFLAGS="${TMPLDFLAGS}"
> +
> +dnl -----------------------------------------------
> +dnl forces all relocations to be resolved at run-time
> +dnl -----------------------------------------------
> +AC_MSG_CHECKING(for -z now)
> +TMPLDFLAGS="${LDFLAGS}"
> +LDFLAGS="${LDFLAGS} -z now"
> +AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z now"
> +AC_MSG_RESULT(yes),
> +AC_MSG_RESULT(no))
> +LDFLAGS="${TMPLDFLAGS}"
> +
> +CFLAGS="${CFLAGS} ${SECCFLAGS}"
> +LDFLAGS="${LDFLAGS} ${SECLDFLAGS}"
>
> dnl -----------------------------------------------
> dnl Generates Makefile's, configuration files and scripts
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list