[PATCH] waf: Build with RELRO if supported by the compiler.

Thu Jul 4 10:29:03 MDT 2013

Make sure we create binaries with full RELocation Read-Only support. See
https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
for more details.

The default is to check if the compiler supports RELRO and then enable
it. Specifying '--with-relro' will make it mandatory and
'--without-relro' will disable it.

Signed-off-by: Andreas Schneider <asn at samba.org>
---
 buildtools/wafsamba/wafsamba.py |  3 +++
 wscript                         | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index aaa0939..e7c7fa8 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -348,6 +348,9 @@ def SAMBA_BINARY(bld, binname, source,
     if bld.env['ENABLE_PIE'] == True:
         pie_cflags += ' -fPIE'
         pie_ldflags.extend(TO_LIST('-pie'))
+    if bld.env['ENABLE_RELRO'] == True:
+        pie_cflags += ' -Wl,-z,relro,-z,now'
+        pie_ldflags.extend(TO_LIST('-Wl,-z,relro,-z,now'))
 
     # first create a target for building the object files for this binary
     # by separating in this way, we avoid recompiling the C files
diff --git a/wscript b/wscript
index 83c82e3..c931780 100644
--- a/wscript
+++ b/wscript
@@ -64,6 +64,14 @@ def set_options(opt):
                   help=("Disable Position Independent Executable builds"),
                   action="store_false", dest='enable_pie')
 
+    opt.add_option('--with-relro',
+                  help=("Build with full RELocation Read-Only (RELRO)" +
+                        "(default if supported by compiler)"),
+                  action="store_true", dest='enable_relro')
+    opt.add_option('--without-pie',
+                  help=("Disable RELRO builds"),
+                  action="store_false", dest='enable_relro')
+
     gr = opt.option_group('developer options')
 
 
@@ -178,6 +186,16 @@ def configure(conf):
                          msg="Checking compiler for PIE support"):
 		conf.env['ENABLE_PIE'] = True
 
+    if Options.options.enable_relro != False:
+        if Options.options.enable_relro == True:
+            need_relro = True
+        else:
+            # not specified, only build RELROs if supported by compiler
+            need_relro = False
+        if conf.check_cc(cflags='-Wl,-z,relro,-z,now', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro,
+                         msg="Checking compiler for full RELRO support"):
+            conf.env['ENABLE_RELRO'] = True
+
 def etags(ctx):
     '''build TAGS file using etags'''
     import Utils
-- 
1.8.3.1


