From 7a4e60b63d0006cf06d18f3d4c7519d72cddc97b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Fri, 4 Jul 2025 21:37:44 +0100 Subject: [PATCH] add -Wl,-z,relro,-z,now to hardening ldflags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro as a happy side effect this reduces dirty pages as measured by pmap -px PID|grep 'rw.--'|grep -v anon|awk '{ sum+=$4 } END { print sum }' for a --with-distro=CPLinux-LOKit build and spawned kit calc process from 2588 to 2352 pages Change-Id: I86b3ae025300907a240affd6d9a3d36d2eecbfb5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187469 Reviewed-by: Caolán McNamara Tested-by: Jenkins --- config_host.mk.in | 1 + configure.ac | 12 ++++++++++++ solenv/gbuild/platform/unxgcc.mk | 1 + 3 files changed, 14 insertions(+) diff --git a/config_host.mk.in b/config_host.mk.in index 9b7a7a747e2d..c89ee21a0351 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -196,6 +196,7 @@ export ENABLE_GTK4=@ENABLE_GTK4@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export DISABLE_GUI=@DISABLE_GUI@ export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ +export HARDENING_LDFLAGS=@HARDENING_LDFLAGS@ export HARDENING_CFLAGS=@HARDENING_CFLAGS@ export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@ diff --git a/configure.ac b/configure.ac index c59fcb215ae7..b964c2eae37b 100644 --- a/configure.ac +++ b/configure.ac @@ -7795,9 +7795,20 @@ dnl =================================================================== dnl GCC features dnl =================================================================== HAVE_GCC_STACK_CLASH_PROTECTION= +HARDENING_LDFLAGS= HARDENING_CFLAGS= HARDENING_OPT_CFLAGS= if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then + + AC_MSG_CHECKING([for full RELRO linker support]) + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_LDFLAGS="$HARDENING_LDFLAGS -Wl,-z,relro,-z,now"], + [AC_MSG_RESULT([no])]) + LDFLAGS=$save_LDFLAGS + AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" @@ -7996,6 +8007,7 @@ fi AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) +AC_SUBST(HARDENING_LDFLAGS) AC_SUBST(HARDENING_CFLAGS) AC_SUBST(HARDENING_OPT_CFLAGS) diff --git a/solenv/gbuild/platform/unxgcc.mk b/solenv/gbuild/platform/unxgcc.mk index ef6750ed5f38..2f8f4df9603b 100644 --- a/solenv/gbuild/platform/unxgcc.mk +++ b/solenv/gbuild/platform/unxgcc.mk @@ -72,6 +72,7 @@ ifeq (,$(DISABLE_DYNLOADING)) gb_LinkTarget_LDFLAGS += \ -Wl,-rpath-link,$(SYSBASE)/lib:$(SYSBASE)/usr/lib \ -Wl,-z,combreloc \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_LDFLAGS)) \ endif