Browse Source

Add RELRO build knob, default to enabled

Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.

Add a RELRO knob so that the option can be disabled if desired, and so
that builds using the GNU toolchain are equivalent to those using the
standard Clang/LLVM toolchain.

Reviewed by:	markj
MFC after:	3 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35545
main
Ed Maste 2 weeks ago
parent
commit
2f3a961487
  1. 5
      share/mk/bsd.lib.mk
  2. 1
      share/mk/bsd.opts.mk
  3. 5
      share/mk/bsd.prog.mk
  4. 4
      tools/build/options/WITHOUT_RELRO
  5. 7
      tools/build/options/WITH_BIND_NOW
  6. 5
      tools/build/options/WITH_RELRO

5
share/mk/bsd.lib.mk

@ -79,6 +79,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
.if ${MK_RELRO} == "no"
LDFLAGS+= -Wl,-znorelro
.else
LDFLAGS+= -Wl,-zrelro
.endif
.if ${MK_RETPOLINE} != "no"
.if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline}
CFLAGS+= -mretpoline

1
share/mk/bsd.opts.mk

@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \
NIS \
NLS \
OPENSSH \
RELRO \
SSP \
TESTS \
TOOLCHAIN \

5
share/mk/bsd.prog.mk

@ -41,6 +41,11 @@ MK_DEBUG_FILES= no
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
.if ${MK_RELRO} == "no"
LDFLAGS+= -Wl,-znorelro
.else
LDFLAGS+= -Wl,-zrelro
.endif
.if ${MK_PIE} != "no"
# Static PIE is not yet supported/tested.
.if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no"

4
tools/build/options/WITHOUT_RELRO

@ -0,0 +1,4 @@
Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation.
See also the
.Va BIND_NOW
option.

7
tools/build/options/WITH_BIND_NOW

@ -3,3 +3,10 @@ Build all binaries with the
.Dv DF_BIND_NOW
flag set to indicate that the run-time loader should perform all relocation
processing at process startup rather than on demand.
The combination of the
.Va BIND_NOW
and
.Va RELRO
options provide "full" Relocation Read-Only (RELRO) support.
With full RELRO the entire GOT is made read-only after performing relocation at
startup, avoiding GOT overwrite attacks.

5
tools/build/options/WITH_RELRO

@ -0,0 +1,5 @@
Build all binaries with the Relocation Read-Only (RELRO) vulnerability
mitigation applied.
See also the
.Va BIND_NOW
option.
Loading…
Cancel
Save