link option for PIE executable

[chunseoklee]

I have built the latest coreclr (commit 637bfef) and found that it does not produce PIE executables for corerun, crossgen, ildasm, ilasdm.

twoflower@js2-desktop ~/d/c/b/P/Linux.x64.Release> hardening-check crossgen
crossgen:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no, not found!

But, compilation option -fPIE is introduced on commit 891b2aa.
Am I missing something(flag) or we need a patch to enable PIE executable ?

[janvorli]

I've verified that we do pass the -fPIE option to the compiler and that there are no textrels in the file. However, that doesn't seem to be enough. I've tried to compile simple hello world kind of app with clang and besides -fPIE, it also required me to pass in the -pie linker option to become dynamic executable. So we will need to add that to our CMakeLists.txt files (e.g. set_property(TARGET crossgen APPEND_STRING PROPERTY LINK_FLAGS -pie)
However, I've found that cmake has a variable CMAKE_POSITION_INDEPENDENT_CODE that can be set to generate position independent targets, so I'd like to give it a try as a replacement for manually adding the PIE / PIC flags everywhere. For some reason, it doesn't seem to work right away, so it will require some investigations.

[janvorli]

Hmm, actually it is a cmake bug that it doesn't pass the -pie linker option when the CMAKE_POSITION_INDEPENDENT_CODE is enabled. So setting the target property or setting it globally in CMAKE_EXE_LINKER_FLAGS (which would require changing the PAL tests to build as PIEs) is the way to go.

[chunseoklee]

@janvorli Then, is it ok to PR a patch enabling PIE executable ?

[janvorli]

@chunseoklee yes, it would be great to get that.

[vitek-karas]

Could you please also look at dotnet/core-setup and how it produces dotnet and apphost executables? Those are the actual executables used by the product.

[jkotas]

Fixed by #685