From a65eb59c41b6c7c2e18d955079ac121cb531931c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 15 Dec 2011 10:50:27 -0500
Subject: [PATCH] Add relro flags to libhtp

Hello,

The main suricata program can detect and use relro/bind now linker flags. But
the directive is per linked object. This means that while the app has
protection, its code segment containing libhtp does not. The patch below passes
the configure option to libhtp and let's it make use of the compiler's
security protection.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
 libhtp/configure.ac | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/libhtp/configure.ac b/libhtp/configure.ac
index 8987ab8563..192bd31902 100644
--- a/libhtp/configure.ac
+++ b/libhtp/configure.ac
@@ -70,7 +70,6 @@ AC_PROG_CC
 AM_PROG_LIBTOOL
 AM_SANITY_CHECK
 
-
 dnl -----------------------------------------------
 dnl Checks for libs.
 dnl -----------------------------------------------
@@ -84,6 +83,30 @@ if test "$ZLIB" = "no"; then
     exit 1
 fi
 
+dnl -----------------------------------------------
+dnl provides a read-only relocation table area in the final ELF
+dnl -----------------------------------------------
+AC_MSG_CHECKING(for -z relro)
+TMPLDFLAGS="${LDFLAGS}"
+LDFLAGS="${LDFLAGS} -z relro"
+AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z relro"
+AC_MSG_RESULT(yes),
+AC_MSG_RESULT(no))
+LDFLAGS="${TMPLDFLAGS}"
+
+dnl -----------------------------------------------
+dnl forces all relocations to be resolved at run-time
+dnl -----------------------------------------------
+AC_MSG_CHECKING(for -z now)
+TMPLDFLAGS="${LDFLAGS}"
+LDFLAGS="${LDFLAGS} -z now"
+AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z now"
+AC_MSG_RESULT(yes),
+AC_MSG_RESULT(no))
+LDFLAGS="${TMPLDFLAGS}"
+
+CFLAGS="${CFLAGS} ${SECCFLAGS}"
+LDFLAGS="${LDFLAGS} ${SECLDFLAGS}"
 
 dnl -----------------------------------------------
 dnl Generates Makefile's, configuration files and scripts