git: 2f3a961487c9 - main - Add RELRO build knob, default to enabled
Date: Wed, 22 Jun 2022 16:20:12 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=2f3a961487c97dc879f07bb97bc62d7bd70b3f8d
commit 2f3a961487c97dc879f07bb97bc62d7bd70b3f8d
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-06-22 12:58:04 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-06-22 16:18:41 +0000
Add RELRO build knob, default to enabled
Note that lld enables relro by default, so that we already had either
partial or full RELRO, depending on the state of the BIND_NOW knob.
Add a RELRO knob so that the option can be disabled if desired, and so
that builds using the GNU toolchain are equivalent to those using the
standard Clang/LLVM toolchain.
Reviewed by: markj
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35545
---
share/mk/bsd.lib.mk | 5 +++++
share/mk/bsd.opts.mk | 1 +
share/mk/bsd.prog.mk | 5 +++++
tools/build/options/WITHOUT_RELRO | 4 ++++
tools/build/options/WITH_BIND_NOW | 7 +++++++
tools/build/options/WITH_RELRO | 5 +++++
6 files changed, 27 insertions(+)
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index 5c7b73c5a8a9..9ba08a7ca619 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -79,6 +79,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g}
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
+.if ${MK_RELRO} == "no"
+LDFLAGS+= -Wl,-znorelro
+.else
+LDFLAGS+= -Wl,-zrelro
+.endif
.if ${MK_RETPOLINE} != "no"
.if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline}
CFLAGS+= -mretpoline
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index 7e5c985957f0..d448656bd96d 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \
NIS \
NLS \
OPENSSH \
+ RELRO \
SSP \
TESTS \
TOOLCHAIN \
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
index 6b8da09edaf0..eed7d652fad1 100644
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -41,6 +41,11 @@ MK_DEBUG_FILES= no
.if ${MK_BIND_NOW} != "no"
LDFLAGS+= -Wl,-znow
.endif
+.if ${MK_RELRO} == "no"
+LDFLAGS+= -Wl,-znorelro
+.else
+LDFLAGS+= -Wl,-zrelro
+.endif
.if ${MK_PIE} != "no"
# Static PIE is not yet supported/tested.
.if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no"
diff --git a/tools/build/options/WITHOUT_RELRO b/tools/build/options/WITHOUT_RELRO
new file mode 100644
index 000000000000..f5b661f5916d
--- /dev/null
+++ b/tools/build/options/WITHOUT_RELRO
@@ -0,0 +1,4 @@
+Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation.
+See also the
+.Va BIND_NOW
+option.
diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW
index 02e4c37352b4..a2d3ac7e7779 100644
--- a/tools/build/options/WITH_BIND_NOW
+++ b/tools/build/options/WITH_BIND_NOW
@@ -3,3 +3,10 @@ Build all binaries with the
.Dv DF_BIND_NOW
flag set to indicate that the run-time loader should perform all relocation
processing at process startup rather than on demand.
+The combination of the
+.Va BIND_NOW
+and
+.Va RELRO
+options provide "full" Relocation Read-Only (RELRO) support.
+With full RELRO the entire GOT is made read-only after performing relocation at
+startup, avoiding GOT overwrite attacks.
diff --git a/tools/build/options/WITH_RELRO b/tools/build/options/WITH_RELRO
new file mode 100644
index 000000000000..cfc344dd9cfe
--- /dev/null
+++ b/tools/build/options/WITH_RELRO
@@ -0,0 +1,5 @@
+Build all binaries with the Relocation Read-Only (RELRO) vulnerability
+mitigation applied.
+See also the
+.Va BIND_NOW
+option.