config_host.mk.in | 1 +
configure.ac | 12 ++++++++++++
solenv/gbuild/platform/unxgcc.mk | 1 +
3 files changed, 14 insertions(+)
New commits:
commit 7a4e60b63d0006cf06d18f3d4c7519d72cddc97b
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Fri Jul 4 21:37:44 2025 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon Jul 7 12:37:16 2025 +0200
add -Wl,-z,relro,-z,now to hardening ldflags
See:
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
as a happy side effect this reduces dirty pages as measured by
pmap -px PID|grep 'rw.--'|grep -v anon|awk '{ sum+=$4 } END { print sum }'
for a --with-distro=CPLinux-LOKit build and spawned kit calc process from
2588 to 2352 pages
Change-Id: I86b3ae025300907a240affd6d9a3d36d2eecbfb5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187469
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Tested-by: Jenkins
diff --git a/config_host.mk.in b/config_host.mk.in
index 9b7a7a747e2d..c89ee21a0351 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -196,6 +196,7 @@ export ENABLE_GTK4=@ENABLE_GTK4@
export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@
export DISABLE_GUI=@DISABLE_GUI@
export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@
+export HARDENING_LDFLAGS=@HARDENING_LDFLAGS@
export HARDENING_CFLAGS=@HARDENING_CFLAGS@
export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@
export ENABLE_HEADLESS=@ENABLE_HEADLESS@
diff --git a/configure.ac b/configure.ac
index c59fcb215ae7..b964c2eae37b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7795,9 +7795,20 @@ dnl
===================================================================
dnl GCC features
dnl ===================================================================
HAVE_GCC_STACK_CLASH_PROTECTION=
+HARDENING_LDFLAGS=
HARDENING_CFLAGS=
HARDENING_OPT_CFLAGS=
if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then
+
+ AC_MSG_CHECKING([for full RELRO linker support])
+ save_LDFLAGS=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM(, [[return 0;]])],
+ [AC_MSG_RESULT([yes]); HARDENING_LDFLAGS="$HARDENING_LDFLAGS
-Wl,-z,relro,-z,now"],
+ [AC_MSG_RESULT([no])])
+ LDFLAGS=$save_LDFLAGS
+
AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches])
save_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS -Werror -grecord-gcc-switches"
@@ -7996,6 +8007,7 @@ fi
AC_SUBST(HAVE_GCC_AVX)
AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC)
AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION)
+AC_SUBST(HARDENING_LDFLAGS)
AC_SUBST(HARDENING_CFLAGS)
AC_SUBST(HARDENING_OPT_CFLAGS)
diff --git a/solenv/gbuild/platform/unxgcc.mk b/solenv/gbuild/platform/unxgcc.mk
index ef6750ed5f38..2f8f4df9603b 100644
--- a/solenv/gbuild/platform/unxgcc.mk
+++ b/solenv/gbuild/platform/unxgcc.mk
@@ -72,6 +72,7 @@ ifeq (,$(DISABLE_DYNLOADING))
gb_LinkTarget_LDFLAGS += \
-Wl,-rpath-link,$(SYSBASE)/lib:$(SYSBASE)/usr/lib \
-Wl,-z,combreloc \
+ $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_LDFLAGS)) \
endif
