Link nfct and helper modules with `-z lazy`

Some distributions, such as Gentoo and Chrome OS, try to link all programs with `-z now` as a security hardening measure. This breaks nfct, because nfct cannot satisfy all of the helper modules' symbols. Therefore nfct implicitly depends on lazy binding. Have autoconf probe the linker to see if `-z lazy` works, and if so, use it to link nfct and the helpers. conntrackd itself is unaffected, and should still work with `-z now`. Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Kevin Cernekee <cernekee@chromium.org> 2016-09-11 13:54:19 -0700
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-20 16:01:54 +0200
commit: 498d698084d258be8828010db5a8778c938046b3 (patch)
tree: 51842449723adcd291b93a18b8b731c472d9e86f /configure.ac
parent: dd4b5a1e5e52f2107227b8513fbf87bc4b0df079 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index e2223d7..6141220 100644
--- a/configure.ac
+++ b/configure.ac
@@ -118,6 +118,9 @@ dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
 dnl AC_C_CONST
 dnl AC_C_INLINE
 
+# Let nfct use dlopen() on helper libraries without resolving all symbols.
+AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
+
 # Checks for library functions.
 dnl AC_FUNC_MALLOC
 dnl AC_FUNC_VPRINTF
author	Kevin Cernekee <cernekee@chromium.org>	2016-09-11 13:54:19 -0700
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-09-20 16:01:54 +0200
commit	498d698084d258be8828010db5a8778c938046b3 (patch)
tree	51842449723adcd291b93a18b8b731c472d9e86f /configure.ac
parent	dd4b5a1e5e52f2107227b8513fbf87bc4b0df079 (diff)