diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2022-06-22 12:58:04 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2023-03-02 14:25:27 +0000 |
| commit | ee71c37bc1231f56b82e6b8993d370ccb22a91f6 (patch) | |
| tree | 787edf9e5fe546b5467ef739e99968231971963c | |
| parent | 2b29bd3a6d59eec73db76575303dac145d82aa57 (diff) | |
| download | src-ee71c37bc1231f56b82e6b8993d370ccb22a91f6.tar.gz src-ee71c37bc1231f56b82e6b8993d370ccb22a91f6.zip | |
Add RELRO build knob, default to enabled
Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.
Add a RELRO knob so that the option can be disabled if desired, and so
that builds using the GNU toolchain are equivalent to those using the
standard Clang/LLVM toolchain.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35545
(cherry picked from commit 2f3a961487c97dc879f07bb97bc62d7bd70b3f8d)
| -rw-r--r-- | share/mk/bsd.lib.mk | 5 | ||||
| -rw-r--r-- | share/mk/bsd.opts.mk | 1 | ||||
| -rw-r--r-- | share/mk/bsd.prog.mk | 5 | ||||
| -rw-r--r-- | tools/build/options/WITHOUT_RELRO | 4 | ||||
| -rw-r--r-- | tools/build/options/WITH_BIND_NOW | 7 | ||||
| -rw-r--r-- | tools/build/options/WITH_RELRO | 5 |
6 files changed, 27 insertions, 0 deletions
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index d4819615d50c..71c3dab011ef 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -77,6 +77,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_RETPOLINE} != "no" .if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline} CFLAGS+= -mretpoline diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index 33d843593427..33516070ac67 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -62,6 +62,7 @@ __DEFAULT_YES_OPTIONS = \ NLS \ OPENSSH \ PROFILE \ + RELRO \ SSP \ TESTS \ TOOLCHAIN \ diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index 5e7aaaeb37f8..78fc920ec337 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -41,6 +41,11 @@ MK_DEBUG_FILES= no .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_PIE} != "no" # Static PIE is not yet supported/tested. .if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no" diff --git a/tools/build/options/WITHOUT_RELRO b/tools/build/options/WITHOUT_RELRO new file mode 100644 index 000000000000..f5b661f5916d --- /dev/null +++ b/tools/build/options/WITHOUT_RELRO @@ -0,0 +1,4 @@ +Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation. +See also the +.Va BIND_NOW +option. diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW index 02e4c37352b4..a2d3ac7e7779 100644 --- a/tools/build/options/WITH_BIND_NOW +++ b/tools/build/options/WITH_BIND_NOW @@ -3,3 +3,10 @@ Build all binaries with the .Dv DF_BIND_NOW flag set to indicate that the run-time loader should perform all relocation processing at process startup rather than on demand. +The combination of the +.Va BIND_NOW +and +.Va RELRO +options provide "full" Relocation Read-Only (RELRO) support. +With full RELRO the entire GOT is made read-only after performing relocation at +startup, avoiding GOT overwrite attacks. diff --git a/tools/build/options/WITH_RELRO b/tools/build/options/WITH_RELRO new file mode 100644 index 000000000000..cfc344dd9cfe --- /dev/null +++ b/tools/build/options/WITH_RELRO @@ -0,0 +1,5 @@ +Build all binaries with the Relocation Read-Only (RELRO) vulnerability +mitigation applied. +See also the +.Va BIND_NOW +option. |