Add RELRO build knob, default to enabled

Note that lld enables relro by default, so that we already had either partial or full RELRO, depending on the state of the BIND_NOW knob. Add a RELRO knob so that the option can be disabled if desired, and so that builds using the GNU toolchain are equivalent to those using the standard Clang/LLVM toolchain. Reviewed by: markj MFC after: 3 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35545
2022-06-22 08:58:04 -04:00 · 2022-06-22 08:58:04 -04:00 · 2f3a961487
commit 2f3a961487
parent 5d6894bd66
6 changed files with 27 additions and 0 deletions
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@ -79,6 +79,11 @@ TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .if ${MK_BIND_NOW} != "no"
 LDFLAGS+= -Wl,-znow
 .endif
+.if ${MK_RELRO} == "no"
+LDFLAGS+= -Wl,-znorelro
+.else
+LDFLAGS+= -Wl,-zrelro
+.endif
 .if ${MK_RETPOLINE} != "no"
 .if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline}
 CFLAGS+= -mretpoline
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \
    NIS \
    NLS \
    OPENSSH \
+    RELRO \
    SSP \
    TESTS \
    TOOLCHAIN \
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@ -41,6 +41,11 @@ MK_DEBUG_FILES=	no
 .if ${MK_BIND_NOW} != "no"
 LDFLAGS+= -Wl,-znow
 .endif
+.if ${MK_RELRO} == "no"
+LDFLAGS+= -Wl,-znorelro
+.else
+LDFLAGS+= -Wl,-zrelro
+.endif
 .if ${MK_PIE} != "no"
 # Static PIE is not yet supported/tested.
 .if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no"
--- a/tools/build/options/WITHOUT_RELRO
+++ b/tools/build/options/WITHOUT_RELRO
@ -0,0 +1,4 @@
+Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation.
+See also the
+.Va BIND_NOW
+option.
--- a/tools/build/options/WITH_BIND_NOW
+++ b/tools/build/options/WITH_BIND_NOW
@ -3,3 +3,10 @@ Build all binaries with the
 .Dv DF_BIND_NOW
 flag set to indicate that the run-time loader should perform all relocation
 processing at process startup rather than on demand.
+The combination of the
+.Va BIND_NOW
+and
+.Va RELRO
+options provide "full" Relocation Read-Only (RELRO) support.
+With full RELRO the entire GOT is made read-only after performing relocation at
+startup, avoiding GOT overwrite attacks.
--- a/tools/build/options/WITH_RELRO
+++ b/tools/build/options/WITH_RELRO
@ -0,0 +1,5 @@
+Build all binaries with the Relocation Read-Only (RELRO) vulnerability
+mitigation applied.
+See also the
+.Va BIND_NOW
+option.