diff options
| author | Frediano Ziglio <fziglio@redhat.com> | 2017-08-17 16:32:10 +0100 |
|---|---|---|
| committer | Frediano Ziglio <freddy77@gmail.com> | 2020-10-25 19:18:36 +0000 |
| commit | d61abf61068487eb8f36e43e40711b8f36a5dfd7 (patch) | |
| tree | 8a3dbdfaf10a07484fbd6de9e6442dc46c18086d | |
| parent | 630da73bf869a69b906b1d3e0aa1f6d00c9c632d (diff) | |
Enable some security options on output executables
Enable NX (prevent data to be executable) and ASLR (address
randomisation).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
| -rw-r--r-- | Makefile.am | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index 425b052..8ce1356 100644 --- a/Makefile.am +++ b/Makefile.am @@ -17,11 +17,32 @@ if !ENABLE_DEBUG AM_LDFLAGS += -s endif +# binutils does not take into account entry point when +# -pie is used so we need to provide it manually +# ENTRY_PREFIX is empty for x86_64, underscore ("_") otherwise +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_) + +# --dynamicbase to enable ASLR protection +# --nxcompat is to enable NX protection +# -pie as --dynamicbase requires relocations +LDFLAGS_SECURITY_COMMON = \ + -Wl,--dynamicbase -Wl,-pie \ + -Wl,--nxcompat \ + $(NULL) +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \ + -Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \ + -mwindows \ + $(NULL) +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \ + -Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \ + -mconsole \ + $(NULL) + bin_PROGRAMS = vdagent vdservice vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 -luuid -lole32 -loleaut32 -lmpr -lshlwapi vdagent_rc.$(OBJEXT) vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI) vdagent_SOURCES = \ common/vdcommon.cpp \ common/vdcommon.h \ @@ -54,6 +75,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT) vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT) +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) vdservice_SOURCES = \ common/stdint.h \ common/vdcommon.cpp \ @@ -72,7 +94,7 @@ check_PROGRAMS = imagetest imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) imagetest_SOURCES = \ common/vdcommon.cpp \ common/vdcommon.h \ @@ -92,7 +114,7 @@ check_PROGRAMS += test-log-win TESTS += test-log EXTRA_DIST += test-log -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) test_log_win_SOURCES = \ common/vdcommon.cpp \ common/vdcommon.h \ |