Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Sep 2019 18:56:41 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r352769 - in releng/12.1: share/mk tools/build/options
Message-ID:  <201909261856.x8QIuf6Y078677@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: emaste
Date: Thu Sep 26 18:56:41 2019
New Revision: 352769
URL: https://svnweb.freebsd.org/changeset/base/352769

Log:
  MFS r352752: Add a WITH_BIND_NOW build knob
  
  MFC r340186: Add a WITH_BIND_NOW build knob
  
  The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the
  runtime loader that all relocation processing should be performed at
  process startup rather than on demand.  In combination with lld's
  default of enabling relro this causes the GOT to be made read-only when
  the process starts, preventing straightforward GOT overwrite attacks.
  
  MFC r341429: disable BIND_NOW in libc, libthr, and rtld
  
  An issue remains with BIND_NOW and processes using threads.  For now,
  restore libc's BIND_NOW disable, and also disable BIND_NOW in rtld and
  libthr.
  
  MFC r345625: revert r341429 "disable BIND_NOW in libc, libthr, and rtld"
  
  r345620 by kib@ fixed the rtld issue that caused a crash at startup
  during resolution of libc's ifuncs with BIND_NOW.
  
  MFC r345638: Revert change accidentally committed along with r345625
  
  MFC r345640: Revert other accidentally committed part of r345625
  
  Approved by:	re (gjb)
  Sponsored by:	The FreeBSD Foundation

Added:
  releng/12.1/tools/build/options/WITHOUT_BIND_NOW
     - copied unchanged from r352752, stable/12/tools/build/options/WITHOUT_BIND_NOW
  releng/12.1/tools/build/options/WITH_BIND_NOW
     - copied unchanged from r352752, stable/12/tools/build/options/WITH_BIND_NOW
Modified:
  releng/12.1/share/mk/bsd.lib.mk
  releng/12.1/share/mk/bsd.opts.mk
  releng/12.1/share/mk/bsd.prog.mk
Directory Properties:
  releng/12.1/   (props changed)

Modified: releng/12.1/share/mk/bsd.lib.mk
==============================================================================
--- releng/12.1/share/mk/bsd.lib.mk	Thu Sep 26 18:37:58 2019	(r352768)
+++ releng/12.1/share/mk/bsd.lib.mk	Thu Sep 26 18:56:41 2019	(r352769)
@@ -69,6 +69,10 @@ TAGS+=		package=${PACKAGE:Uruntime}
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline

Modified: releng/12.1/share/mk/bsd.opts.mk
==============================================================================
--- releng/12.1/share/mk/bsd.opts.mk	Thu Sep 26 18:37:58 2019	(r352768)
+++ releng/12.1/share/mk/bsd.opts.mk	Thu Sep 26 18:56:41 2019	(r352769)
@@ -69,6 +69,7 @@ __DEFAULT_YES_OPTIONS = \
     WARNS
 
 __DEFAULT_NO_OPTIONS = \
+    BIND_NOW \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \

Modified: releng/12.1/share/mk/bsd.prog.mk
==============================================================================
--- releng/12.1/share/mk/bsd.prog.mk	Thu Sep 26 18:37:58 2019	(r352768)
+++ releng/12.1/share/mk/bsd.prog.mk	Thu Sep 26 18:56:41 2019	(r352769)
@@ -34,6 +34,10 @@ PROG=	${PROG_CXX}
 MK_DEBUG_FILES=	no
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_PIE} != "no" && (!defined(NO_SHARED) || ${NO_SHARED:tl} == "no")
 CFLAGS+= -fPIE
 CXXFLAGS+= -fPIE

Copied: releng/12.1/tools/build/options/WITHOUT_BIND_NOW (from r352752, stable/12/tools/build/options/WITHOUT_BIND_NOW)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.1/tools/build/options/WITHOUT_BIND_NOW	Thu Sep 26 18:56:41 2019	(r352769, copy of r352752, stable/12/tools/build/options/WITHOUT_BIND_NOW)
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Do not build all binaries with the
+.Dv DF_BIND_NOW
+flag set.
+Run-time relocation processing will be performed on demand.

Copied: releng/12.1/tools/build/options/WITH_BIND_NOW (from r352752, stable/12/tools/build/options/WITH_BIND_NOW)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.1/tools/build/options/WITH_BIND_NOW	Thu Sep 26 18:56:41 2019	(r352769, copy of r352752, stable/12/tools/build/options/WITH_BIND_NOW)
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Build all binaries with the
+.Dv DF_BIND_NOW
+flag set to indicate that the run-time loader should perform all relocation
+processing at process startup rather than on demand.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909261856.x8QIuf6Y078677>