LibreOffice/core
1
0
Fork 0
mirror of https://github.com/LibreOffice/core.git synced 2025-07-26 15:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

add -Wl,-z,relro,-z,now to hardening ldflags

Browse Source 
See: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

as a happy side effect this reduces dirty pages as measured by

pmap -px PID|grep 'rw.--'|grep -v anon|awk '{ sum+=$4 } END { print sum }'

for a --with-distro=CPLinux-LOKit build and spawned kit calc process from
2588 to 2352 pages

Change-Id: I86b3ae025300907a240affd6d9a3d36d2eecbfb5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187469
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Tested-by: Jenkins
This commit is contained in:
Caolán McNamara
2025-07-04 21:37:44 +01:00
parent 168d90524c
commit 7a4e60b63d
3 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config_host.mk.in
View File

@ -196,6 +196,7 @@ export ENABLE_GTK4=@ENABLE_GTK4@
export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@
export DISABLE_GUI=@DISABLE_GUI@ export DISABLE_GUI=@DISABLE_GUI@
export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@
export HARDENING_LDFLAGS=@HARDENING_LDFLAGS@
export HARDENING_CFLAGS=@HARDENING_CFLAGS@ export HARDENING_CFLAGS=@HARDENING_CFLAGS@
export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@
export ENABLE_HEADLESS=@ENABLE_HEADLESS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@

12
configure.ac
View File

@ -7795,9 +7795,20 @@ dnl ===================================================================
dnl GCC features dnl GCC features
dnl =================================================================== dnl ===================================================================
HAVE_GCC_STACK_CLASH_PROTECTION= HAVE_GCC_STACK_CLASH_PROTECTION=
HARDENING_LDFLAGS=
HARDENING_CFLAGS= HARDENING_CFLAGS=
HARDENING_OPT_CFLAGS= HARDENING_OPT_CFLAGS=
if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then
AC_MSG_CHECKING([for full RELRO linker support])
save_LDFLAGS=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(, [[return 0;]])],
[AC_MSG_RESULT([yes]); HARDENING_LDFLAGS="$HARDENING_LDFLAGS -Wl,-z,relro,-z,now"],
[AC_MSG_RESULT([no])])
LDFLAGS=$save_LDFLAGS
AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches])
save_CFLAGS=$CFLAGS save_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" CFLAGS="$CFLAGS -Werror -grecord-gcc-switches"
@ -7996,6 +8007,7 @@ fi
AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_AVX)
AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC)
AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION)
AC_SUBST(HARDENING_LDFLAGS)
AC_SUBST(HARDENING_CFLAGS) AC_SUBST(HARDENING_CFLAGS)
AC_SUBST(HARDENING_OPT_CFLAGS) AC_SUBST(HARDENING_OPT_CFLAGS)

1
solenv/gbuild/platform/unxgcc.mk
View File

@ -72,6 +72,7 @@ ifeq (,$(DISABLE_DYNLOADING))
gb_LinkTarget_LDFLAGS += \ gb_LinkTarget_LDFLAGS += \
-Wl,-rpath-link,$(SYSBASE)/lib:$(SYSBASE)/usr/lib \ -Wl,-rpath-link,$(SYSBASE)/lib:$(SYSBASE)/usr/lib \
-Wl,-z,combreloc \ -Wl,-z,combreloc \
$(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_LDFLAGS)) \
endif endif