* Matthias Baesken: > If I understand > https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > correct, RedHat is setting those flags already via the build system .
BFD ld in binutils defaults to relro, except perhaps on s390x where your version might not implement the partial RELRO variant that you get without -z now (BIND_NOW is not enabled by default). > Regarding "bindnow" (ld -z now) , this might be set additionally by > using --with-extra-ldflags . Yes, that is usually more controversial because it can have an impact on startup time. But even the AWT libraries have relatively few function references, so it probably does not matter. On the other hand, all this security hardening is typically not very effective because part of classes.jsa is mapped rwx at a fixed address, so you can just abuse that (if you want to inject machine code directly, I'm sure there are other options for bytecode). Thanks, Florian
