diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -79,6 +79,11 @@ .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_RETPOLINE} != "no" .if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline} CFLAGS+= -mretpoline diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -64,6 +64,7 @@ NIS \ NLS \ OPENSSH \ + RELRO \ SSP \ TESTS \ TOOLCHAIN \ diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -41,6 +41,11 @@ .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_PIE} != "no" # Static PIE is not yet supported/tested. .if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no" diff --git a/tools/build/options/WITHOUT_RELRO b/tools/build/options/WITHOUT_RELRO new file mode 100644 --- /dev/null +++ b/tools/build/options/WITHOUT_RELRO @@ -0,0 +1,4 @@ +Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation. +See also the +.Va BIND_NOW +option. diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW --- a/tools/build/options/WITH_BIND_NOW +++ b/tools/build/options/WITH_BIND_NOW @@ -3,3 +3,10 @@ .Dv DF_BIND_NOW flag set to indicate that the run-time loader should perform all relocation processing at process startup rather than on demand. +The combination of the +.Va BIND_NOW +and +.Va RELRO +options provide "full" Relocation Read-Only (RELRO) support. +With full RELRO the entire GOT is made read-only after performing relocation at +startup, avoiding GOT overwrite attacks. diff --git a/tools/build/options/WITH_RELRO b/tools/build/options/WITH_RELRO new file mode 100644 --- /dev/null +++ b/tools/build/options/WITH_RELRO @@ -0,0 +1,5 @@ +Build all binaries with the Relocation Read-Only (RELRO) vulnerability +mitigation applied. +See also the +.Va BIND_NOW +option.