[Oisf-devel] [PATCH] Add relro flags to libhtp

[Steve Grubb]

Hello,

The main suricata program can detect and use relro/bind now linker flags. But
the directive is per linked object. This means that while the app has
protection, its code segment containing libhtp does not. The patch below passes
the configure option to libhtp and let's it make use of the compiler's
security protection.

Signed-off-by: Steve Grubb <sgrubb at redhat.com>
---

diff -ur suricata.orig/libhtp/configure.ac suricata/libhtp/configure.ac
--- suricata.orig/libhtp/configure.ac	2011-11-02 08:30:35.000000000 -0400
+++ suricata/libhtp/configure.ac	2011-12-15 10:39:06.000000000 -0500
@@ -70,7 +70,6 @@
 AM_PROG_LIBTOOL
 AM_SANITY_CHECK
 
-
 dnl -----------------------------------------------
 dnl Checks for libs.
 dnl -----------------------------------------------
@@ -84,6 +83,30 @@
     exit 1
 fi
 
+dnl -----------------------------------------------
+dnl provides a read-only relocation table area in the final ELF
+dnl -----------------------------------------------
+AC_MSG_CHECKING(for -z relro)
+TMPLDFLAGS="${LDFLAGS}"
+LDFLAGS="${LDFLAGS} -z relro"
+AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z relro"
+AC_MSG_RESULT(yes),
+AC_MSG_RESULT(no))
+LDFLAGS="${TMPLDFLAGS}"
+
+dnl -----------------------------------------------
+dnl forces all relocations to be resolved at run-time
+dnl -----------------------------------------------
+AC_MSG_CHECKING(for -z now)
+TMPLDFLAGS="${LDFLAGS}"
+LDFLAGS="${LDFLAGS} -z now"
+AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z now"
+AC_MSG_RESULT(yes),
+AC_MSG_RESULT(no))
+LDFLAGS="${TMPLDFLAGS}"
+
+CFLAGS="${CFLAGS} ${SECCFLAGS}"
+LDFLAGS="${LDFLAGS} ${SECLDFLAGS}"
 
 dnl -----------------------------------------------
 dnl Generates Makefile's, configuration files and scripts