diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk index 5c7b73c5a8a..9ba08a7ca61 100644 --- a/share/mk/bsd.lib.mk +++ b/share/mk/bsd.lib.mk @@ -79,6 +79,11 @@ TAG_ARGS= -T ${TAGS:[*]:S/ /,/g} .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_RETPOLINE} != "no" .if ${COMPILER_FEATURES:Mretpoline} && ${LINKER_FEATURES:Mretpoline} CFLAGS+= -mretpoline diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk index 7e5c985957f..d448656bd96 100644 --- a/share/mk/bsd.opts.mk +++ b/share/mk/bsd.opts.mk @@ -64,6 +64,7 @@ __DEFAULT_YES_OPTIONS = \ NIS \ NLS \ OPENSSH \ + RELRO \ SSP \ TESTS \ TOOLCHAIN \ diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index 6b8da09edaf..eed7d652fad 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -41,6 +41,11 @@ MK_DEBUG_FILES= no .if ${MK_BIND_NOW} != "no" LDFLAGS+= -Wl,-znow .endif +.if ${MK_RELRO} == "no" +LDFLAGS+= -Wl,-znorelro +.else +LDFLAGS+= -Wl,-zrelro +.endif .if ${MK_PIE} != "no" # Static PIE is not yet supported/tested. .if !defined(NO_SHARED) || ${NO_SHARED:tl} == "no" diff --git a/tools/build/options/WITHOUT_RELRO b/tools/build/options/WITHOUT_RELRO new file mode 100644 index 00000000000..f5b661f5916 --- /dev/null +++ b/tools/build/options/WITHOUT_RELRO @@ -0,0 +1,4 @@ +Do not apply the Relocation Read-Only (RELRO) vulnerability mitigation. +See also the +.Va BIND_NOW +option. diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW index 02e4c37352b..a2d3ac7e777 100644 --- a/tools/build/options/WITH_BIND_NOW +++ b/tools/build/options/WITH_BIND_NOW @@ -3,3 +3,10 @@ Build all binaries with the .Dv DF_BIND_NOW flag set to indicate that the run-time loader should perform all relocation processing at process startup rather than on demand. +The combination of the +.Va BIND_NOW +and +.Va RELRO +options provide "full" Relocation Read-Only (RELRO) support. +With full RELRO the entire GOT is made read-only after performing relocation at +startup, avoiding GOT overwrite attacks. diff --git a/tools/build/options/WITH_RELRO b/tools/build/options/WITH_RELRO new file mode 100644 index 00000000000..cfc344dd9cf --- /dev/null +++ b/tools/build/options/WITH_RELRO @@ -0,0 +1,5 @@ +Build all binaries with the Relocation Read-Only (RELRO) vulnerability +mitigation applied. +See also the +.Va BIND_NOW +option.