Improved PIE binary tooling
Ed Maste
emaste at freebsd.org
Thu Jun 4 14:23:23 UTC 2020
Kostik and I recently committed a couple of changes to improve PIE
binary support:
r361725 Do not allow to load ET_DYN object with DF_1_PIE flag set.
r361740 lld: Set DF_1_PIE for -pie
Previously there could be ambiguity as to whether an object is a
shared library (DSO) or Position Independent Executable (PIE) binary;
a PIE is in fact a special type of DSO. These changes add a .dynamic
flag DF_1_PIE that's used to unambiguously indicate that an object is
a PIE binary, and disallow the use of dlopen() or DT_NEEDED on that
binary.
Future changes should have file(1) report "position independent
executable" or similar instead of "shared object". Some desktop
environments / file managers have had issues refusing to execute PIE
binaries, and tagging them should also address those.
More information about the freebsd-security
mailing list