diff options
| author | Marek Polacek <polacek@redhat.com> | 2023-06-22 11:30:01 -0400 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2023-06-22 13:43:32 -0400 |
| commit | 33ebb0dff9bb022f1e0709e0e73faabfc3df7931 (patch) | |
| tree | 857cc8336fcbe426044fe759571d437032fb6b2a /c++tools | |
| parent | 4ced8363622b31910cda61796a28fe2cbf70faa7 (diff) | |
| download | gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.gz gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.bz2 gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.zip | |
configure: Implement --enable-host-bind-now
As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
With this patch:
$ readelf -Wd cc1{,plus,obj,gm2} f951 lto1 cpp rust1 gnat1 | grep FLAGS
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
Diffstat (limited to 'c++tools')
| -rwxr-xr-x | c++tools/configure | 11 | ||||
| -rw-r--r-- | c++tools/configure.ac | 7 |
2 files changed, 18 insertions, 0 deletions
diff --git a/c++tools/configure b/c++tools/configure index 880870093839..006efe07b354 100755 --- a/c++tools/configure +++ b/c++tools/configure @@ -628,6 +628,7 @@ EGREP GREP CXXCPP LD_PICFLAG +enable_host_bind_now PICFLAG MAINTAINER CXX_AUX_TOOLS @@ -702,6 +703,7 @@ enable_maintainer_mode enable_checking enable_default_pie enable_host_pie +enable_host_bind_now with_gcc_major_version_only ' ac_precious_vars='build_alias @@ -1336,6 +1338,7 @@ Optional Features: yes,no,all,none,release. --enable-default-pie enable Position Independent Executable as default --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3007,6 +3010,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + + + # Check if O_CLOEXEC is defined by fcntl diff --git a/c++tools/configure.ac b/c++tools/configure.ac index 44dfaccbbfaf..c2a16601425c 100644 --- a/c++tools/configure.ac +++ b/c++tools/configure.ac @@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])], [PICFLAG=-fPIE; LD_PICFLAG=-pie], []) AC_SUBST(PICFLAG) + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])], +[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], []) +AC_SUBST(enable_host_bind_now) AC_SUBST(LD_PICFLAG) # Check if O_CLOEXEC is defined by fcntl |