From a76a2f54c74709ec7a02cbb48a0b57dff631e614 Mon Sep 17 00:00:00 2001 From: Sebastien Boeuf Date: Mon, 27 Mar 2017 13:52:15 -0700 Subject: [PATCH] Makefile: Ensure noexecstack and relro are enabled As we want to increase the security of the project, we want to make sure we have both noexecstack and relro flags enabled. By default on several distributions, gcc will enable those flags, but we don't want to end up with a case where those flags are not enabled. About the details of these flags, noexecstack protects the stack from being executed, while relro protects against data relocation. Notice that relro has been fully enabled by adding "-z now". A partial relro would have omitted this option. Signed-off-by: Sebastien Boeuf --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 05a68e65..b3d3c991 100644 --- a/Makefile.am +++ b/Makefile.am @@ -140,7 +140,7 @@ AM_CFLAGS = -std=gnu99 -fstack-protector -Wall -pedantic \ -Wconversion -Wunreachable-code \ -fPIE -AM_LDFLAGS = -pie +AM_LDFLAGS = -pie -z noexecstack -z relro -z now # We set --with-systemdunitdir here so make distcheck can run make install as a # normal user and not fail.