> > Enable NX (prevent data to be executable) and ASLR (address > randomisation). > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > --- > Makefile.am | 27 ++++++++++++++++++++++++--- > 1 file changed, 24 insertions(+), 3 deletions(-) > > diff --git a/Makefile.am b/Makefile.am > index 62640f2..3556681 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -20,11 +20,31 @@ endif > # -lversion is needed for the GetFileVersion* API which is used by vdlog.cpp > LIBS = -lversion > > +# binutils does not take into account entry point when > +# -pie is used so we need to provide it manually > +ENTRY_PREFIX := $(if $(filter x86_64,$(host_cpu)),,_) > + > +# --dynamicbase to enable ASLR protection > +# --nxcompat is to enable NX protection > +# --pie as --dynamicbase requires relocations > +LDFLAGS_SECURITY_COMMON = \ > + -Wl,--dynamicbase -Wl,-pie \ > + -Wl,--nxcompat \ > + $(NULL) > +LDFLAGS_SECURITY_GUI = $(LDFLAGS_SECURITY_COMMON) \ > + -Wl,-e,$(ENTRY_PREFIX)WinMainCRTStartup \ > + -mwindows \ > + $(NULL) > +LDFLAGS_SECURITY_CUI = $(LDFLAGS_SECURITY_COMMON) \ > + -Wl,-e,$(ENTRY_PREFIX)mainCRTStartup \ > + -mconsole \ > + $(NULL) > + > bin_PROGRAMS = vdagent vdservice > > vdagent_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > vdagent_rc.$(OBJEXT) > vdagent_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > -vdagent_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,windows > +vdagent_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_GUI) > vdagent_SOURCES = \ > common/vdcommon.cpp \ > common/vdcommon.h \ > @@ -53,6 +73,7 @@ vdagent_rc.$(OBJEXT): vdagent/vdagent.rc > MAINTAINERCLEANFILES += vdagent_rc.$(OBJEXT) > > vdservice_LDADD = -lwtsapi32 vdservice_rc.$(OBJEXT) > +vdservice_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > vdservice_SOURCES = \ > common/stdint.h \ > common/vdcommon.cpp \ > @@ -71,7 +92,7 @@ check_PROGRAMS = imagetest > > imagetest_LDADD = $(LIBPNG_LIBS) $(ZLIB_LIBS) -lwtsapi32 -lgdi32 > imagetest_CXXFLAGS = $(AM_CXXFLAGS) $(LIBPNG_CFLAGS) > -imagetest_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > +imagetest_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > imagetest_SOURCES = \ > common/vdcommon.cpp \ > common/vdcommon.h \ > @@ -91,7 +112,7 @@ check_PROGRAMS += test-log-win > TESTS += test-log > EXTRA_DIST += test-log > > -test_log_win_LDFLAGS = $(AM_LDFLAGS) -Wl,--subsystem,console > +test_log_win_LDFLAGS = $(AM_LDFLAGS) $(LDFLAGS_SECURITY_CUI) > test_log_win_SOURCES = \ > common/vdcommon.cpp \ > common/vdcommon.h \ Part of the complexity of this patch is due to this issue: https://sourceware.org/bugzilla/show_bug.cgi?id=21964 Frediano _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel