Author: emaste Date: Tue Nov 6 15:52:49 2018 New Revision: 340186 URL: https://svnweb.freebsd.org/changeset/base/340186
Log: Add a WITH_BIND_NOW build knob The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the runtime loader that all relocation processing should be performed at process startup rather than on demand. In combination with lld's default of enabling relro this causes the GOT to be made read-only when the process starts, preventing straightforward GOT overwrite attacks. Shawn Webb discovered a failure on HardenedBSD with BIND_NOW and ifunc use, which resulted in my rtld fix in r340137. Add a BIND_NOW knob as it is trivial to do so and is a useful ELF hardening feature. This change is equivalent to HardenedBSD's but not identical as there are other diffs/conflicts nearby. Note that our ELF Tool Chain readelf does not currently decode the DF_BIND_NOW flag - see PR232983. Reviewed by: brooks MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17846 Added: head/tools/build/options/WITHOUT_BIND_NOW (contents, props changed) head/tools/build/options/WITH_BIND_NOW (contents, props changed) Modified: head/share/mk/bsd.lib.mk head/share/mk/bsd.opts.mk head/share/mk/bsd.prog.mk Modified: head/share/mk/bsd.lib.mk ============================================================================== --- head/share/mk/bsd.lib.mk Tue Nov 6 15:29:44 2018 (r340185) +++ head/share/mk/bsd.lib.mk Tue Nov 6 15:52:49 2018 (r340186) @@ -69,6 +69,10 @@ TAGS+= package=${PACKAGE:Uruntime} TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .endif +# ELF hardening knobs +.if ${MK_BIND_NOW} != "no" +LDFLAGS+= -Wl,-znow +.endif .if ${MK_RETPOLINE} != "no" CFLAGS+= -mretpoline CXXFLAGS+= -mretpoline Modified: head/share/mk/bsd.opts.mk ============================================================================== --- head/share/mk/bsd.opts.mk Tue Nov 6 15:29:44 2018 (r340185) +++ head/share/mk/bsd.opts.mk Tue Nov 6 15:52:49 2018 (r340186) @@ -69,6 +69,7 @@ __DEFAULT_YES_OPTIONS = \ WARNS __DEFAULT_NO_OPTIONS = \ + BIND_NOW \ CCACHE_BUILD \ CTF \ INSTALL_AS_USER \ Modified: head/share/mk/bsd.prog.mk ============================================================================== --- head/share/mk/bsd.prog.mk Tue Nov 6 15:29:44 2018 (r340185) +++ head/share/mk/bsd.prog.mk Tue Nov 6 15:52:49 2018 (r340186) @@ -34,6 +34,10 @@ PROG= ${PROG_CXX} MK_DEBUG_FILES= no .endif +# ELF hardening knobs +.if ${MK_BIND_NOW} != "no" +LDFLAGS+= -Wl,-znow +.endif .if ${MK_RETPOLINE} != "no" CFLAGS+= -mretpoline CXXFLAGS+= -mretpoline Added: head/tools/build/options/WITHOUT_BIND_NOW ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITHOUT_BIND_NOW Tue Nov 6 15:52:49 2018 (r340186) @@ -0,0 +1,5 @@ +.\" $FreeBSD$ +Do not build all binaries with the +.Dv DF_BIND_NOW +flag set. +Run-time relocation processing will be performed on demand. Added: head/tools/build/options/WITH_BIND_NOW ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/build/options/WITH_BIND_NOW Tue Nov 6 15:52:49 2018 (r340186) @@ -0,0 +1,5 @@ +.\" $FreeBSD$ +Build all binaries with the +.Dv DF_BIND_NOW +flag set to indicate that the run-time loader should perform all relocation +processing at process startup rather than on demand. _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
