Hi, as you might know, global read-only data (e.g. the .rodata section) usually end up in the same segment as .text. This means that .rodata contains potentially executable data, which is always useful for an attacker looking for ROP gadgets.
However, the gold linker has a nice option (--rosegment) to split in distinct segments .rodata and .text, so that read-only data is not executable. So: why don't we enable it in Gentoo hardened? I know for sure that certain packages fail to link with ld.gold (see [1]). A couple of questions: * Can we blacklist some packages from being linked using gold? Maybe we can provide a package.env file in an overlay/profile listing all those that have to use bfd (CFLAGS="-fuse-ld=bfd"). * Does Gentoo have an infrastructure to rapidly test a new option on a large set of packages? If not, I might set up something. Scripts to orchestrate everything would be useful too. -- Alessandro Di Federico [1] https://bugs.gentoo.org/show_bug.cgi?id=269315
