diff options
author | Kevin Cernekee <cernekee@chromium.org> | 2016-09-11 13:54:19 -0700 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-09-20 16:01:54 +0200 |
commit | 498d698084d258be8828010db5a8778c938046b3 (patch) | |
tree | 51842449723adcd291b93a18b8b731c472d9e86f | |
parent | dd4b5a1e5e52f2107227b8513fbf87bc4b0df079 (diff) |
Link nfct and helper modules with `-z lazy`
Some distributions, such as Gentoo and Chrome OS, try to link all
programs with `-z now` as a security hardening measure. This breaks
nfct, because nfct cannot satisfy all of the helper modules' symbols.
Therefore nfct implicitly depends on lazy binding.
Have autoconf probe the linker to see if `-z lazy` works, and if so,
use it to link nfct and the helpers.
conntrackd itself is unaffected, and should still work with `-z now`.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | m4/ax_check_link_flag.m4 | 74 | ||||
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/helpers/Makefile.am | 39 |
4 files changed, 99 insertions, 19 deletions
diff --git a/configure.ac b/configure.ac index e2223d7..6141220 100644 --- a/configure.ac +++ b/configure.ac @@ -118,6 +118,9 @@ dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) dnl AC_C_CONST dnl AC_C_INLINE +# Let nfct use dlopen() on helper libraries without resolving all symbols. +AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) + # Checks for library functions. dnl AC_FUNC_MALLOC dnl AC_FUNC_VPRINTF diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4 new file mode 100644 index 0000000..eb01a6c --- /dev/null +++ b/m4/ax_check_link_flag.m4 @@ -0,0 +1,74 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the linker or gives an error. +# (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_LINK_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> +# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see <http://www.gnu.org/licenses/>. +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 4 + +AC_DEFUN([AX_CHECK_LINK_FLAG], +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $4 $1" + AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + LDFLAGS=$ax_check_save_flags]) +AS_VAR_IF(CACHEVAR,yes, + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_LINK_FLAGS diff --git a/src/Makefile.am b/src/Makefile.am index 607f191..144c52c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -35,7 +35,7 @@ if HAVE_CTHELPER nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} endif -nfct_LDFLAGS = -export-dynamic +nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@ conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \ local.c log.c mcast.c udp.c netlink.c vector.c \ diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am index 51f4887..05801bc 100644 --- a/src/helpers/Makefile.am +++ b/src/helpers/Makefile.am @@ -10,38 +10,41 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ ct_helper_sane.la \ ct_helper_ssdp.la +HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ +HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + ct_helper_amanda_la_SOURCES = amanda.c -ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_amanda_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_amanda_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_amanda_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_dhcpv6_la_SOURCES = dhcpv6.c -ct_helper_dhcpv6_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_dhcpv6_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_dhcpv6_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_dhcpv6_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_ftp_la_SOURCES = ftp.c -ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_ftp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_ftp_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_mdns_la_SOURCES = mdns.c -ct_helper_mdns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_mdns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_mdns_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_rpc_la_SOURCES = rpc.c -ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_tftp_la_SOURCES = tftp.c -ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_tns_la_SOURCES = tns.c -ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_tns_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_tns_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_sane_la_SOURCES = sane.c -ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS) ct_helper_ssdp_la_SOURCES = ssdp.c -ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) -ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) +ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS) +ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS) |