CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	emaste <emaste@FreeBSD.org>
	Tue, 6 Nov 2018 15:52:49 +0000 (15:52 +0000)
committer	emaste <emaste@FreeBSD.org>
	Tue, 6 Nov 2018 15:52:49 +0000 (15:52 +0000)
commit	7b4e55f191c060d386d941a82842e177677d26a3
tree	c67a90fc01377b4f0d92e950495ae54b5d749d90	tree \| snapshot
parent	af734ea919852c5436df396d94a7a7bcc813aabb	commit \| diff

Add a WITH_BIND_NOW build knob

The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the
runtime loader that all relocation processing should be performed at
process startup rather than on demand.  In combination with lld's
default of enabling relro this causes the GOT to be made read-only when
the process starts, preventing straightforward GOT overwrite attacks.

Shawn Webb discovered a failure on HardenedBSD with BIND_NOW and ifunc
use, which resulted in my rtld fix in r340137.  Add a BIND_NOW knob as
it is trivial to do so and is a useful ELF hardening feature.  This
change is equivalent to HardenedBSD's but not identical as there are
other diffs/conflicts nearby.

Note that our ELF Tool Chain readelf does not currently decode the
DF_BIND_NOW flag - see PR232983.

Reviewed by: brooks
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17846

share/mk/bsd.lib.mk		diff \| blob \| history
share/mk/bsd.opts.mk		diff \| blob \| history
share/mk/bsd.prog.mk		diff \| blob \| history
tools/build/options/WITHOUT_BIND_NOW	[new file with mode: 0644]	blob
tools/build/options/WITH_BIND_NOW	[new file with mode: 0644]	blob