Build all installed binaries with PIE

Position Independent Executable adds security to executables by composing them
entirely of position-independent code. This for allows Exec Shield to use
ASLR to prevent attackers from knowing where existing executable code is.

7 files changed, 179 insertions, 1 deletions

diff --git a/client/Makefile.am b/client/Makefile.am
index 9b9433c..fe7d196 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -1,4 +1,5 @@
 AM_CPPFLAGS =						\
+	$(PIE_CFLAGS)					\
 	$(GLIB_CFLAGS)					\
 	$(GTK_CFLAGS)					\
 	-I$(top_srcdir)					\
@@ -34,6 +35,9 @@ cd_find_broken_LDADD =					\
 	$(COLORD_LIBS)					\
 	$(GLIB_LIBS)
 
+cd_find_broken_LDFLAGS =				\
+	$(PIE_LDFLAGS)
+
 cd_find_broken_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
@@ -44,6 +48,9 @@ colormgr_LDADD =					\
 	$(COLORD_LIBS)					\
 	$(GLIB_LIBS)
 
+colormgr_LDFLAGS =					\
+	$(PIE_LDFLAGS)
+
 colormgr_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
@@ -59,6 +66,9 @@ cd_fix_profile_LDADD =					\
 cd_fix_profile_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
+cd_fix_profile_LDFLAGS =				\
+	$(PIE_LDFLAGS)
+
 cd_iccdump_SOURCES =					\
 	cd-iccdump.c
 
@@ -68,6 +78,9 @@ cd_iccdump_LDADD =					\
 	$(COLORD_LIBS)					\
 	-lm
 
+cd_iccdump_LDFLAGS =					\
+	$(PIE_LDFLAGS)
+
 cd_iccdump_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
@@ -80,6 +93,9 @@ cd_create_profile_LDADD =				\
 	$(COLORD_LIBS)					\
 	-lm
 
+cd_create_profile_LDFLAGS =				\
+	$(PIE_LDFLAGS)
+
 cd_create_profile_CFLAGS =				\
 	$(WARNINGFLAGS_C)
 
diff --git a/configure.ac b/configure.ac
index 162b72a..131bdd4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -124,6 +124,13 @@ AC_SUBST(LIBM)
 
 GLIB_GSETTINGS
 
+# check for PIE (position independent executable) support
+AX_CHECK_COMPILE_FLAG([-fPIE],
+		      [AX_CHECK_LINK_FLAG([-fPIE -pie],
+					  [PIE_CFLAGS="-fPIE" PIE_LDFLAGS="-pie"])])
+AC_SUBST(PIE_CFLAGS)
+AC_SUBST(PIE_LDFLAGS)
+
 dnl ---------------------------------------------------------------------------
 dnl - Check library dependencies
 dnl ---------------------------------------------------------------------------
diff --git a/contrib/colord-sane/Makefile.am b/contrib/colord-sane/Makefile.am
index a64effc..e37abb4 100644
--- a/contrib/colord-sane/Makefile.am
+++ b/contrib/colord-sane/Makefile.am
@@ -1,6 +1,7 @@
 if HAVE_SANE
 
-INCLUDES =						\
+AM_CPPFLAGS =						\
+	$(PIE_CFLAGS)					\
 	$(GLIB_CFLAGS)					\
 	$(GUDEV_CFLAGS)					\
 	$(SANE_CFLAGS)					\
@@ -33,6 +34,9 @@ colord_sane_LDADD =					\
 	$(GLIB_LIBS)					\
 	$(DBUS_LIBS)
 
+colord_sane_LDFLAGS =					\
+	$(PIE_LDFLAGS)
+
 colord_sane_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
diff --git a/contrib/session-helper/Makefile.am b/contrib/session-helper/Makefile.am
index 2068699..b2d1679 100644
--- a/contrib/session-helper/Makefile.am
+++ b/contrib/session-helper/Makefile.am
@@ -3,6 +3,7 @@ dist_introspection_DATA = 				\
 	org.freedesktop.ColorHelper.xml
 
 AM_CPPFLAGS =						\
+	$(PIE_CFLAGS)					\
 	-I$(top_srcdir)/lib				\
 	$(COLORD_GTK_CFLAGS)				\
 	$(GLIB_CFLAGS)					\
@@ -46,6 +47,9 @@ colord_session_LDADD =					\
 	$(GLIB_LIBS)					\
 	-lm
 
+colord_session_LDFLAGS =				\
+	$(PIE_LDFLAGS)
+
 colord_session_CFLAGS =					\
 	$(WARNINGFLAGS_C)
 
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4
new file mode 100644
index 0000000..c3a8d69
--- /dev/null
+++ b/m4/ax_check_compile_flag.m4
@@ -0,0 +1,72 @@
+# ===========================================================================
+#   http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the current language's compiler
+#   or gives an error.  (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the current language's default
+#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
+#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
+#   force the compiler to issue an error when a bad flag is given.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4
new file mode 100644
index 0000000..e2d0d36
--- /dev/null
+++ b/m4/ax_check_link_flag.m4
@@ -0,0 +1,71 @@
+# ===========================================================================
+#    http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the linker or gives an error.
+#   (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the linker's default flags
+#   when the check is done.  The check is thus made with the flags: "LDFLAGS
+#   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
+#   issue an error when a bad flag is given.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS $4 $1"
+  AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  LDFLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS
diff --git a/src/Makefile.am b/src/Makefile.am
index 59fc8ec..fdefafd 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,6 +10,7 @@ dist_introspection_DATA = 				\
 	org.freedesktop.ColorManager.Profile.xml
 
 AM_CPPFLAGS =						\
+	$(PIE_CFLAGS)					\
 	$(GLIB_CFLAGS)					\
 	$(POLKIT_CFLAGS)				\
 	$(LCMS_CFLAGS)					\
@@ -108,6 +109,9 @@ colord_LDADD =						\
 	$(COLORD_PRIVATE_LIBS)				\
 	$(GLIB_LIBS)
 
+colord_LDFLAGS =					\
+	$(PIE_LDFLAGS)
+
 colord_CFLAGS =						\
 	$(WARNINGFLAGS_C)