configure.ac: Add more hardening flags for GCC.

Also move -pie to LDFLAGS, it's a linker flag.

diff --git a/configure.ac b/configure.ac
index 82be75124597f229f49e626c176b030b55e02a13..4c7c937d77855d9daa1d40e252cc180575f0147c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -12,8 +12,11 @@ if test "x$GCC" = xyes; then
     CFLAGS="-std=c89 -pedantic -Wall -Wextra -Werror $CFLAGS"
     CFLAGS="-D_XOPEN_SOURCE=500 -Wno-error=int-to-pointer-cast $CFLAGS"
     # Additional security flags.
-    CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector -fPIE -pie"
-    LDFLAGS="$LDFLAGS -z relro -z now"
+    CFLAGS="$CFLAGS -Wformat -Wformat-security -Werror=format-security"
+    CFLAGS="$CFLAGS -fstack-protector-all -Wstack-protector"
+    CFLAGS="$CFLAGS --param ssp-buffer-size=1"
+    CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fPIE"
+    LDFLAGS="$LDFLAGS -Wl,-z,relro -Wl,-z,now -fPIE -pie"
 fi
 
 AC_CHECK_LIB([pthread], [pthread_create],