Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/link: support full relro #45681

Closed
wants to merge 4 commits into from
Closed

Conversation

Foxboron
Copy link
Contributor

Most Linux distributions today enable PIE and full RELRO on all binaries
to make exploitation harder. When buildmode=pie is used we enable full
relro as that is probably what most people want regardless.

This introduces a negligible startup time for binaries.

https://fedoraproject.org/wiki/Changes/Harden_All_Packages
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

Related #44480

@google-cla
Copy link

google-cla bot commented Apr 21, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. label Apr 21, 2021
@Foxboron
Copy link
Contributor Author

@googlebot I signed it!

@google-cla google-cla bot added cla: yes Used by googlebot to label PRs as having a valid CLA. The text of this label should not change. and removed cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. labels Apr 21, 2021
@gopherbot
Copy link

This PR (HEAD: 20ab0e5) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link

Message from Go Bot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://golang.org/doc/contribute.html#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://golang.org/s/release
for more details.


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Zhang:

Patch Set 1: Run-TryBot+1

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Go Bot:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Zhang:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Go Bot:

Patch Set 1: TryBot-Result+1

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Zhang:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Zhang:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

This PR (HEAD: b80f284) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 2:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1: Run-TryBot+1

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Go Bot:

Patch Set 1: TryBot-Result+1

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 1:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

Most Linux distributions today enable PIE and full RELRO on all binaries
to make exploitation harder. When buildmode=pie is used we enable full
relro as that is probably what most people want regardless.

This introduces a negligible startup time for binaries.

https://fedoraproject.org/wiki/Changes/Harden_All_Packages
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

Related golang#44480
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
Signed-off-by: Morten Linderud <morten@linderud.pw>
@gopherbot
Copy link

This PR (HEAD: b85c7f7) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/312509 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4: Run-TryBot+1 Code-Review+1


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Gopher Robot:

Patch Set 4:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Gopher Robot:

Patch Set 4: TryBot-Result+1

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 4:

(4 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Cherry Mui:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@y27988
Copy link

y27988 commented Oct 13, 2022

Why is this feature not merged into the main branch?

@Foxboron
Copy link
Contributor Author

I have failed to followup on this a properly sadly. The review cycle takes a while (understandably) so it doesn't end up super high on my todo list :)

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Nick Revin:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Nick Revin:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Morten Linderud:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Nick Revin:

Patch Set 4:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link

Message from Ian Lance Taylor:

Patch Set 4: -Code-Review


Please don’t reply on this GitHub thread. Visit golang.org/cl/312509.
After addressing review feedback, remember to publish your drafts!

@Foxboron Foxboron closed this Nov 1, 2023
gopherbot pushed a commit that referenced this pull request Feb 29, 2024
-bindnow linker option enables full RELRO on ELF targets.

This options defaults to false and preserves
current behavior - partial relro for buildmode=pie.

Also, the following changes were made to align
internal linker's behavior with external ELF linkers:
- GNU_RELRO segment is marked Read-only
- .dynamic is a relro section for partial and full RELRO
- .got is a relro section for partial and full RELRO
- .got.plt is a relro section for full RELRO only

Supersedes #45681 (golang.org/cl/312509)

Change-Id: I51c4ef07b14beceb7cd6fd989f323e45f89a63ca
GitHub-Last-Rev: bc68264
GitHub-Pull-Request: #58869
Reviewed-on: https://go-review.googlesource.com/c/go/+/473495
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
gopherbot pushed a commit that referenced this pull request Mar 14, 2024
This reverts https://go.dev/cl/c/go/+/473495.

Reason for revert: breaks some Google-internal tests.

This revert will be temporary until we can gather more info on the
nature of the failures and hopefully develop an upstream test case,
etc.

Updates #45681.

Change-Id: Ib628ddc53bc5489e4f76c0f4ad809b75e899102c
Reviewed-on: https://go-review.googlesource.com/c/go/+/571415
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
gopherbot pushed a commit that referenced this pull request Mar 15, 2024
This is a partial roll-forward of CL 473495, which was subsequently
reverted. The second half of CL 473495 will appear in a future CL.

In this patch we introduce a new Go linker "-bindnow" command line
flag, and update the Go command to permit the use of the -Wl,-z,now
option, to allow users to produce binaries that have immediate
binding.

Updates #45681.

Change-Id: Idd61b0d6597bcd37b16c343714c55a4ef6dfb534
Reviewed-on: https://go-review.googlesource.com/c/go/+/571416
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes Used by googlebot to label PRs as having a valid CLA. The text of this label should not change.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants