#1416 closed enhancement (wontfix)
[PATCH] Link with -Wl,-z,relro
| Reported by: | Vincent Cheng | Owned by: | |
|---|---|---|---|
| Priority: | If Time Permits | Milestone: | |
| Component: | Build & Packages | Keywords: | patch |
| Cc: | Vincentc1208@… | Patch: |
Description (last modified by )
Please consider building 0 A.D. using the read-only relocation link flag (-Wl,-z,relro) by default. This is part of a recent effort to get as many packages as possible in Debian built with a selection of build-hardening flags (more info here). This is also enabled by default in Ubuntu.
--- a/build/premake/premake4.lua
+++ b/build/premake/premake4.lua
@@ -246,7 +246,7 @@
end
if os.is("linux") or os.is("bsd") then
- linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed" }
+ linkoptions { "-Wl,--no-undefined", "-Wl,--as-needed", "-Wl,-z,relro" }
end
if _OPTIONS["coverage"] then
(Ideally, there should be a way to build 0 A.D. with a distro's default compiler/linker flags without having to modify the source, but I don't know enough about premake to make it work. Is there a way to let premake know of compiler/linker flags that have been exported in the build environment, for example?)
Change History (10)
comment:1 by , 12 years ago
| Component: | Core engine → Build & Packages |
|---|---|
| Priority: | Nice to Have → If Time Permits |
comment:2 by , 12 years ago
follow-up: 4 comment:3 by , 12 years ago
Ah, I haven't actually tried it, but I suppose running make LDFLAGS=-Wl,-z,relro should eject the linker flags into the build.
I've noticed that some hardening options are already enabled by default in premake4.lua anyways (-fstack-protector-all and -D_FORTIFY_SOURCE=2)...I don't suppose adding another set of flags would hurt? :P
comment:4 by , 12 years ago
Replying to vincent:
I don't suppose adding another set of flags would hurt? :P
Only if we're sure it doesn't break the numerous build environments that people are using. I assume it's only reliably a Linux thing, how long has it been available? (I don't see a -z relro option for ld on FreeBSD 8.2)
comment:5 by , 12 years ago
I only have Debian GNU/Linux and GNU/kFreeBSD systems to test on, and 0 A.D. builds fine on kFreeBSD with -Wl,-z,relro appended to LDFLAGS. To be honest, my understanding of build hardening is pretty much limited to what the Debian and Ubuntu wiki pages mention. No idea whether or not it can be used on FreeBSD, but for what it's worth, partial relro was added to Ubuntu as early as 8.10 Intrepid, afaik.
comment:6 by , 12 years ago
Some people say maybe it was binutils 2.16 that introduced ld -z relro, which goes back to 2005. That's not to say it's supported by all Linux distros since 2005 though. If it's even from the past 4-5 years I think it's not worth risking breaking the build (unless it would only give a warning, or if we already use other equally "new" options).
Unfortunately Premake has no way of knowing if the option is available, that's one of the advantages of autoconf I guess :/
comment:7 by , 12 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:8 by , 12 years ago
| Keywords: | review removed |
|---|
comment:9 by , 12 years ago
| Milestone: | Alpha 11 |
|---|
Shouldn't this already work with setting LDFLAGS?
I tested it locally and it worked. I suppose we will add a parameter to only add the needed compiler/linker flags to our makefiles with #1516 (or with this ticket).