Ticket #1416 (closed enhancement: wontfix)
[PATCH] Link with -Wl,-z,relro
| Reported by: | vincent | Owned by: | |
|---|---|---|---|
| Priority: | If Time Permits | Milestone: | |
| Component: | Build & Packages | Keywords: | patch |
| Cc: | Vincentc1208@… |
Description
Please consider building 0 A.D. using the read-only relocation link flag (-Wl,-z,relro) by default. This is part of a recent effort to get as many packages as possible in Debian built with a selection of build-hardening flags (more info here). This is also enabled by default in Ubuntu.
--- a/build/premake/premake4.lua
+++ b/build/premake/premake4.lua
@@ -246,7 +246,7 @@
end
if os.is("linux") or os.is("bsd") then
- linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed" }
+ linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed", "-Wl,-z,relro" }
end
if _OPTIONS["coverage"] then
(Ideally, there should be a way to build 0 A.D. with a distro's default compiler/linker flags without having to modify the source, but I don't know enough about premake to make it work. Is there a way to let premake know of compiler/linker flags that have been exported in the build environment, for example?)
Change History
comment:1 Changed 12 months ago by k776
- Priority changed from Nice to Have to If Time Permits
- Component changed from Core engine to Build & Packages
comment:2 Changed 11 months ago by leper
Shouldn't this already work with setting LDFLAGS?
I tested it locally and it worked. I suppose we will add a parameter to only add the needed compiler/linker flags to our makefiles with #1516 (or with this ticket).
comment:3 follow-up: ↓ 4 Changed 11 months ago by vincent
Ah, I haven't actually tried it, but I suppose running make LDFLAGS=-Wl,-z,relro should eject the linker flags into the build.
I've noticed that some hardening options are already enabled by default in premake4.lua anyways (-fstack-protector-all and -D_FORTIFY_SOURCE=2)...I don't suppose adding another set of flags would hurt? :P
comment:4 in reply to: ↑ 3 Changed 11 months ago by historic_bruno
Replying to vincent:
I don't suppose adding another set of flags would hurt? :P
Only if we're sure it doesn't break the numerous build environments that people are using. I assume it's only reliably a Linux thing, how long has it been available? (I don't see a -z relro option for ld on FreeBSD 8.2)
comment:5 Changed 11 months ago by vincent
I only have Debian GNU/Linux and GNU/kFreeBSD systems to test on, and 0 A.D. builds fine on kFreeBSD with -Wl,-z,relro appended to LDFLAGS. To be honest, my understanding of build hardening is pretty much limited to what the Debian and Ubuntu wiki pages mention. No idea whether or not it can be used on FreeBSD, but for what it's worth, partial relro was added to Ubuntu as early as 8.10 Intrepid, afaik.
comment:6 Changed 11 months ago by historic_bruno
Some people say maybe it was binutils 2.16 that introduced ld -z relro, which goes back to 2005. That's not to say it's supported by all Linux distros since 2005 though. If it's even from the past 4-5 years I think it's not worth risking breaking the build (unless it would only give a warning, or if we already use other equally "new" options).
Unfortunately Premake has no way of knowing if the option is available, that's one of the advantages of autoconf I guess :/
