config_host.mk.in | 1 + configure.ac | 12 ++++++++++++ solenv/gbuild/platform/unxgcc.mk | 1 + 3 files changed, 14 insertions(+)
New commits: commit d6cbb0d98cc73c6bed76f675bac12afb2769913a Author: Caolán McNamara <caolan.mcnam...@collabora.com> AuthorDate: Fri Jul 4 21:37:44 2025 +0100 Commit: Caolán McNamara <caolan.mcnam...@collabora.com> CommitDate: Mon Jul 7 12:13:11 2025 +0200 add -Wl,-z,relro,-z,now to hardening ldflags See: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro as a happy side effect this reduces dirty pages as measured by pmap -px PID|grep 'rw.--'|grep -v anon|awk '{ sum+=$4 } END { print sum }' for a --with-distro=CPLinux-LOKit build and spawned kit calc process from 2588 to 2352 pages Change-Id: I86b3ae025300907a240affd6d9a3d36d2eecbfb5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187430 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com> Reviewed-by: Michael Meeks <michael.me...@collabora.com> diff --git a/config_host.mk.in b/config_host.mk.in index 211154f50010..b6256ac00ef9 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -196,6 +196,7 @@ export ENABLE_GTK4=@ENABLE_GTK4@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export DISABLE_GUI=@DISABLE_GUI@ export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ +export HARDENING_LDFLAGS=@HARDENING_LDFLAGS@ export HARDENING_CFLAGS=@HARDENING_CFLAGS@ export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@ diff --git a/configure.ac b/configure.ac index d081bd5011a3..de8350fe9f6c 100644 --- a/configure.ac +++ b/configure.ac @@ -7753,9 +7753,20 @@ dnl =================================================================== dnl GCC features dnl =================================================================== HAVE_GCC_STACK_CLASH_PROTECTION= +HARDENING_LDFLAGS= HARDENING_CFLAGS= HARDENING_OPT_CFLAGS= if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then + + AC_MSG_CHECKING([for full RELRO linker support]) + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_LDFLAGS="$HARDENING_LDFLAGS -Wl,-z,relro,-z,now"], + [AC_MSG_RESULT([no])]) + LDFLAGS=$save_LDFLAGS + AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" @@ -7954,6 +7965,7 @@ fi AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) +AC_SUBST(HARDENING_LDFLAGS) AC_SUBST(HARDENING_CFLAGS) AC_SUBST(HARDENING_OPT_CFLAGS) diff --git a/solenv/gbuild/platform/unxgcc.mk b/solenv/gbuild/platform/unxgcc.mk index 1c289b193d4e..4b41ff8f2478 100644 --- a/solenv/gbuild/platform/unxgcc.mk +++ b/solenv/gbuild/platform/unxgcc.mk @@ -72,6 +72,7 @@ ifeq (,$(DISABLE_DYNLOADING)) gb_LinkTarget_LDFLAGS += \ -Wl,-rpath-link,$(SYSBASE)/lib:$(SYSBASE)/usr/lib \ -Wl,-z,combreloc \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_LDFLAGS)) \ endif