Add a WITH_BIND_NOW build knob
ClosedPublic
Actions

Authored by emaste on Nov 5 2018, 2:21 PM.

Details

Reviewers

brooks
dim
lattera-gmail.com

Commits

rS340186: Add a WITH_BIND_NOW build knob

Summary

The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the runtime loader that all relocation processing should be performed at process startup rather than on demand. In combination with lld's default of enabling relro this causes the GOT to be made read-only when the process starts, preventing GOT overwrite attacks.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

emaste created this revision.Nov 5 2018, 2:21 PM

Herald added a subscriber: bdrewery. · View Herald TranscriptNov 5 2018, 2:21 PM

I had originally suggested to Shawn that he extract a patch (https://github.com/HardenedBSD/hardenedBSD/issues/356), but looked at the diffs and realized the changes are both trivial and going to conflict with HardenedBSD anyway (which has MK_RETPOLINE) arranged slightly differently.

There's a lot of commonality between bsd.prog.mk and bsd.lib.mk that could be factored out as a subsequent change.