FreeBSD
/
src
mirror of https://git.FreeBSD.org/src.git
1
0
Fork 0
Code Releases Activity
Browse Source

Add RELRO build knob, default to enabled 

Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob so that the option can be disabled if desired, and so
that builds using the GNU toolchain are equivalent to those using the
standard Clang/LLVM toolchain.

Reviewed by:	markj
MFC after:	3 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35545
main
Ed Maste 2 weeks ago
parent
5d6894bd66
commit
2f3a961487
6 changed files with 27 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      share/mk/bsd.lib.mk
  2. 1
      share/mk/bsd.opts.mk
  3. 5
      share/mk/bsd.prog.mk
  4. 4
      tools/build/options/WITHOUT_RELRO
  5. 7
      tools/build/options/WITH_BIND_NOW
  6. 5
      tools/build/options/WITH_RELRO

5
share/mk/bsd.lib.mk
Unescape View File

@ -79,6 +79,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
.if ${MK_RELRO} == "no"
LDFLAGS+= -Wl,-znorelro
.else
LDFLAGS+= -Wl,-zrelro
.endif
.if ${MK_RETPOLINE} != "no"
.if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline}
CFLAGS+= -mretpoline

1
share/mk/bsd.opts.mk
Unescape View File

@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \
NIS \
NLS \
OPENSSH \
RELRO \
SSP \
TESTS \
TOOLCHAIN \

5
share/mk/bsd.prog.mk
Unescape View File

@ -41,6 +41,11 @@ MK_DEBUG_FILES= no
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
.if ${MK_RELRO} == "no"
LDFLAGS+= -Wl,-znorelro
.else
LDFLAGS+= -Wl,-zrelro
.endif
.if ${MK_PIE} != "no"
# Static PIE is not yet supported/tested.
.if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no"

4
tools/build/options/WITHOUT_RELRO
Unescape View File

@ -0,0 +1,4 @@
Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation.
See also the
.Va BIND_NOW
option.

7
tools/build/options/WITH_BIND_NOW
Unescape View File

@ -3,3 +3,10 @@ Build all binaries with the
.Dv DF_BIND_NOW
flag set to indicate that the run-time loader should perform all relocation
processing at process startup rather than on demand.
The combination of the
.Va BIND_NOW
and
.Va RELRO
options provide "full" Relocation Read-Only (RELRO) support.
With full RELRO the entire GOT is made read-only after performing relocation at
startup, avoiding GOT overwrite attacks.

5
tools/build/options/WITH_RELRO
Unescape View File

@ -0,0 +1,5 @@
Build all binaries with the Relocation Read-Only (RELRO) vulnerability
mitigation applied.
See also the
.Va BIND_NOW
option.
Write Preview
Loading…
Cancel
Save