proposal: cmd/link: add option to enable full RELRO for ELF

[nrvnrvn]

Motivation

Go binaries can be built as position independent executables (PIE) for linux targets which enables partial read-only relocation (RELRO) by default. Partial RELRO as the name suggests does not provide full protection from .got overwrite attacks. When using the external linker it is possible to pass specific linker flags including -z,now to enable full RELRO. Go internal linker, however, does not have the option to enable full RELRO for resulting binaries.

Also, go's internal linker has three notable differences from the other known ELF linkers (ld, lld, bfd, gold and mold) when building binaries with -buildmode=pie and partial RELRO implied:

• .dynamic section is not part of the GNU_RELRO segment;
• .got section is not part of the GNU_RELRO segment;
• GNU_RELRO segment does not have the read-only flag.

Proposal

Add the -bindnow linker option to enable full RELRO on ELF targets that covers both internal and external linkers.

This option defaults to false and preserves current behavior - partial RELRO for -buildmode=pie.

Also, the following changes are proposed to align internal linker's behavior with external ELF linkers:

• GNU_RELRO segment is marked Read-only;
• .dynamic is a relro section for partial and full RELRO;
• .got is a relro section for partial and full RELRO;
• .got.plt is a relro section for full RELRO only.

Relevant active CL/PR

• https://go-review.googlesource.com/c/go/+/473495
• cmd/link: add option to enable full RELRO for ELF #58869