| From 75e3bd2618852f47498e75f482e5015fcd4fb270 Mon Sep 17 00:00:00 2001 |
| From: Kevin Cernekee <cernekee@chromium.org> |
| Date: Sat, 10 Sep 2016 09:23:55 -0700 |
| Subject: [PATCH] Link nfct and helper modules with `-z lazy` |
| |
| Some distributions, such as Gentoo and Chrome OS, try to link all |
| programs with `-z now` as a security hardening measure. This breaks |
| nfct, because nfct cannot satisfy all of the helper modules' symbols. |
| Therefore nfct implicitly depends on lazy binding. |
| |
| Have autoconf probe the linker to see if `-z lazy` works, and if so, |
| use it to link nfct and the helpers. |
| |
| conntrackd itself is unaffected, and should still work with `-z now`. |
| |
| Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
| --- |
| configure.ac | 3 ++ |
| m4/ax_check_link_flag.m4 | 74 ++++++++++++++++++++++++++++++++++++++++++++++++ |
| src/Makefile.am | 2 +- |
| src/helpers/Makefile.am | 39 +++++++++++++------------ |
| 4 files changed, 99 insertions(+), 19 deletions(-) |
| create mode 100644 m4/ax_check_link_flag.m4 |
| |
| diff --git a/configure.ac b/configure.ac |
| index e2223d7555a5..6141220c0e6a 100644 |
| --- a/configure.ac |
| +++ b/configure.ac |
| @@ -118,6 +118,9 @@ dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) |
| dnl AC_C_CONST |
| dnl AC_C_INLINE |
| |
| +# Let nfct use dlopen() on helper libraries without resolving all symbols. |
| +AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) |
| + |
| # Checks for library functions. |
| dnl AC_FUNC_MALLOC |
| dnl AC_FUNC_VPRINTF |
| diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4 |
| new file mode 100644 |
| index 000000000000..eb01a6ce135e |
| --- /dev/null |
| +++ b/m4/ax_check_link_flag.m4 |
| @@ -0,0 +1,74 @@ |
| +# =========================================================================== |
| +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html |
| +# =========================================================================== |
| +# |
| +# SYNOPSIS |
| +# |
| +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) |
| +# |
| +# DESCRIPTION |
| +# |
| +# Check whether the given FLAG works with the linker or gives an error. |
| +# (Warnings, however, are ignored) |
| +# |
| +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on |
| +# success/failure. |
| +# |
| +# If EXTRA-FLAGS is defined, it is added to the linker's default flags |
| +# when the check is done. The check is thus made with the flags: "LDFLAGS |
| +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to |
| +# issue an error when a bad flag is given. |
| +# |
| +# INPUT gives an alternative input source to AC_LINK_IFELSE. |
| +# |
| +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this |
| +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. |
| +# |
| +# LICENSE |
| +# |
| +# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> |
| +# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> |
| +# |
| +# This program is free software: you can redistribute it and/or modify it |
| +# under the terms of the GNU General Public License as published by the |
| +# Free Software Foundation, either version 3 of the License, or (at your |
| +# option) any later version. |
| +# |
| +# This program is distributed in the hope that it will be useful, but |
| +# WITHOUT ANY WARRANTY; without even the implied warranty of |
| +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General |
| +# Public License for more details. |
| +# |
| +# You should have received a copy of the GNU General Public License along |
| +# with this program. If not, see <http://www.gnu.org/licenses/>. |
| +# |
| +# As a special exception, the respective Autoconf Macro's copyright owner |
| +# gives unlimited permission to copy, distribute and modify the configure |
| +# scripts that are the output of Autoconf when processing the Macro. You |
| +# need not follow the terms of the GNU General Public License when using |
| +# or distributing such scripts, even though portions of the text of the |
| +# Macro appear in them. The GNU General Public License (GPL) does govern |
| +# all other use of the material that constitutes the Autoconf Macro. |
| +# |
| +# This special exception to the GPL applies to versions of the Autoconf |
| +# Macro released by the Autoconf Archive. When you make and distribute a |
| +# modified version of the Autoconf Macro, you may extend this special |
| +# exception to the GPL to apply to your modified version as well. |
| + |
| +#serial 4 |
| + |
| +AC_DEFUN([AX_CHECK_LINK_FLAG], |
| +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF |
| +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl |
| +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ |
| + ax_check_save_flags=$LDFLAGS |
| + LDFLAGS="$LDFLAGS $4 $1" |
| + AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], |
| + [AS_VAR_SET(CACHEVAR,[yes])], |
| + [AS_VAR_SET(CACHEVAR,[no])]) |
| + LDFLAGS=$ax_check_save_flags]) |
| +AS_VAR_IF(CACHEVAR,yes, |
| + [m4_default([$2], :)], |
| + [m4_default([$3], :)]) |
| +AS_VAR_POPDEF([CACHEVAR])dnl |
| +])dnl AX_CHECK_LINK_FLAGS |
| diff --git a/src/Makefile.am b/src/Makefile.am |
| index 607f19161857..144c52c48c64 100644 |
| --- a/src/Makefile.am |
| +++ b/src/Makefile.am |
| @@ -35,7 +35,7 @@ if HAVE_CTHELPER |
| nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} |
| endif |
| |
| -nfct_LDFLAGS = -export-dynamic |
| +nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@ |
| |
| conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \ |
| local.c log.c mcast.c udp.c netlink.c vector.c \ |
| diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am |
| index 51f4887ccced..05801bc7f703 100644 |
| --- a/src/helpers/Makefile.am |
| +++ b/src/helpers/Makefile.am |
| @@ -10,38 +10,41 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ |
| ct_helper_sane.la \ |
| ct_helper_ssdp.la |
| |
| +HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ |
| +HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| + |
| ct_helper_amanda_la_SOURCES = amanda.c |
| -ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_amanda_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_amanda_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_amanda_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_dhcpv6_la_SOURCES = dhcpv6.c |
| -ct_helper_dhcpv6_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_dhcpv6_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_dhcpv6_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_dhcpv6_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_ftp_la_SOURCES = ftp.c |
| -ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_ftp_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_ftp_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_mdns_la_SOURCES = mdns.c |
| -ct_helper_mdns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_mdns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_mdns_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_rpc_la_SOURCES = rpc.c |
| -ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_tftp_la_SOURCES = tftp.c |
| -ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_tns_la_SOURCES = tns.c |
| -ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_tns_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_tns_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_sane_la_SOURCES = sane.c |
| -ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS) |
| |
| ct_helper_ssdp_la_SOURCES = ssdp.c |
| -ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) |
| -ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) |
| +ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS) |
| +ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS) |
| -- |
| 2.8.0.rc3.226.g39d4020 |
| |