Fix relro, now and PIE for host and libraries

src/installer/corehost/cli/common.cmake

@@ -9,7 +9,6 @@ if(WIN32)
     add_compile_options($<$<CONFIG:Release>:/MT>)
     add_compile_options($<$<CONFIG:Debug>:/MTd>)
 else()
-    add_compile_options(-fPIC)
     add_compile_options(-fvisibility=hidden)
 endif()
 

src/installer/corehost/cli/exe.cmake

@@ -4,6 +4,9 @@
 
 project (${DOTNET_PROJECT_NAME})
 
+cmake_policy(SET CMP0011 NEW)
+cmake_policy(SET CMP0083 NEW)
+
 include(${CMAKE_CURRENT_LIST_DIR}/common.cmake)
 
 # Include directories

src/installer/corehost/cli/test_fx_ver/CMakeLists.txt

@@ -29,7 +29,6 @@ if(WIN32)
     add_compile_options($<$<CONFIG:Release>:/MT>)
     add_compile_options($<$<CONFIG:Debug>:/MTd>)
 else()
-    add_compile_options(-fPIE)
     add_compile_options(-fvisibility=hidden)
 endif()
 

src/installer/settings.cmake

@@ -4,6 +4,17 @@
 
 set (CMAKE_CXX_STANDARD 11)
 
+include(CheckPIESupported)
+
+# All code we build should be compiled as position independent
+check_pie_supported(OUTPUT_VARIABLE PIE_SUPPORT_OUTPUT LANGUAGES CXX)
+if(NOT MSVC AND NOT CMAKE_CXX_LINK_PIE_SUPPORTED)
+  message(WARNING "PIE is not supported at link time: ${PIE_SUPPORT_OUTPUT}.\n"
+                  "PIE link options will not be passed to linker.")
+endif()
+
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+
 if(CMAKE_SYSTEM_NAME STREQUAL Linux)
     set(CLR_CMAKE_PLATFORM_UNIX 1)
     message("System name Linux")
@@ -174,7 +185,7 @@ if(WIN32)
     set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /GUARD:CF")
 
     # Debug build specific flags
-    set(CMAKE_SHARED_LINKER_FLAGS_DEBUG "/NOVCFEATURE")
+    set(CMAKE_SHARED_LINKER_FLAGS_DEBUG "${CMAKE_SHARED_LINKER_FLAGS_DEBUG} /NOVCFEATURE")
 
     # Release build specific flags
     set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} /DEBUG /OPT:REF /OPT:ICF")
@@ -216,14 +227,12 @@ endif()
 # containing the reference instead of using definitions from other modules.
 if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
     set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Xlinker -Bsymbolic -Bsymbolic-functions")
-    set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1")
-    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1")
+    add_link_options(-Wl,--build-id=sha1 -Wl,-z,relro,-z,now)
     add_compile_options(-fstack-protector-strong)
 elseif(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
     add_compile_options(-fstack-protector)
 elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-    set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1")
-    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}  -fuse-ld=lld -Xlinker --build-id=sha1")
+    add_link_options(-fuse-ld=lld -Wl,--build-id=sha1 -Wl,-z,relro,-z,now)
     add_compile_options(-fstack-protector)
 endif()
 

src/libraries/Native/Unix/CMakeLists.txt

@@ -1,6 +1,18 @@
 cmake_minimum_required(VERSION 2.8.12)
 project(CoreFX C)
 
+cmake_policy(SET CMP0083 NEW)
+
+include(CheckPIESupported)
+
+# All code we build should be compiled as position independent
+check_pie_supported(OUTPUT_VARIABLE PIE_SUPPORT_OUTPUT LANGUAGES C)
+if(NOT MSVC AND NOT CMAKE_C_LINK_PIE_SUPPORTED)
+  message(WARNING "PIE is not supported at link time: ${PIE_SUPPORT_OUTPUT}.\n"
+                  "PIE link options will not be passed to linker.")
+endif()
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+
 set(CMAKE_MACOSX_RPATH ON)
 set(CMAKE_INSTALL_PREFIX $ENV{__CMakeBinDir})
 set(CMAKE_INCLUDE_CURRENT_DIR ON)
@@ -28,7 +40,6 @@ endif()
 add_compile_options(-Werror)
 
 if(CMAKE_SYSTEM_NAME STREQUAL Emscripten)
-    # Build a static library so no -fPIC
     set(CLR_CMAKE_PLATFORM_WASM 1)
     add_definitions(-D_WASM_)
     # The emscripten build has additional warnings so -Werror breaks
@@ -37,7 +48,6 @@ if(CMAKE_SYSTEM_NAME STREQUAL Emscripten)
     add_compile_options(-Wno-alloca)
     add_compile_options(-Wno-implicit-int-float-conversion)
 else()
-  add_compile_options(-fPIC)
   set(GEN_SHARED_LIB 1)
 endif(CMAKE_SYSTEM_NAME STREQUAL Emscripten)
 
@@ -125,9 +135,8 @@ endif ()
 
 if (CMAKE_SYSTEM_NAME STREQUAL Linux)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_GNU_SOURCE")
-   set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
-   set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1")
-   set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1")
+   add_compile_options($<$<COMPILE_LANGUAGE:ASM>:-Wa,--noexecstack>)
+   add_link_options(-Wl,--build-id=sha1 -Wl,-z,relro,-z,now)
 endif ()
 
 if(CMAKE_SYSTEM_NAME STREQUAL Linux)