No easy way to enable full RELRO on security sensitive binaries #1140
Comments
|
As @TingPing pointed out, the penalty for "full RELRO" isn't huge for most binaries so perhaps we could just change the project defaults allowing projects that really need that fast startup time over the (pretty large) security benefits could opt-out. |
|
The only question I have is whether there are equivalents for other platforms: OS X and Windows that we should enable when that option is turned on. Otherwise it'll be misleading for people if it's a no-op on other platforms. If there's no equivalents, we can give it a linux-specific name that makes it clear that it is only available on Linux. |
|
For stack protector (wikipedia):
|
We already do this. For example lundef is not available on OSX so we don't add that to the list of options when compiling to it. Similarly asan is only available on GCC + Clang, not MSVC, etc. |
|
Ah, it makes sense as a build argument true. Perhaps we can even default to it. My comment was only for kwargs. |
|
This has caused problems in RHEL where applications porting from automake to meson are not being built with full RELRO, which causes them to fail the automated security tests Red Hat does. I guess one workaround is to copy around the fwupd "workaround" https://github.com/hughsie/fwupd/blob/master/meson.build#L108 to all projects although this is kind of nasty. I'm not sure I understand mesons codebase enough to attempt something like |
|
RedHat packages? They should be setting |
|
|
|
Well, what I mean is, if we're trying to satisfy packaging requirements, they should be satisfied by fixing the package in preference to messing with the |
This comment has been minimized.
This comment has been minimized.
Well, that works when building packages in something that's setting the CC flags, but for a developer on a workstation they're going to be blank... which is why I thought we should provide some kind of toggle to enable/disable it. |
|
I think we should have a toggle for this. Different compilers have different options for this, and having a generic way to turn this kind of stuff on from the command line is very mesonic. |
|
Debian blhc Failed: There is "LDFLAGS missing (-Wl,-z,now)" error. Is it cause by this issue? The build log warnning info is: |
It seems to be caused by an assertion failure in the test of the project you are building:
Seems unrelated to this issue. |
|
O, I'm sorry for my copy and paste error. :-( I update the link URL, please see again. Thanks! |
This can be fixed with: --- a/meson.build
+++ b/meson.build
@@ -97,7 +97,7 @@ test_link_args = [
'-Wl,-z,now',
]
foreach arg: test_link_args
- if cc.has_argument(arg)
+ if cc.has_link_argument(arg)
global_link_args += arg
endif
endforeachBut it's not causing the build error: Basically, the only way link args can be passed to g-ir-scanner is by setting the And yes, this issue will be fixed once we have a meson-wide option to set relro. |
add this patch in
add it in debian/rules: export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,now The blhc test is pass now. Thanks you very much! |
It seems meson defaults to "partial RELRO" + PIE for executables which seems a good default. For security sensitive things we need to have "full RELRO" which is more secure, but does have a small runtime cost. Full RELRO is usually set for daemons running as root or things that are taking untrusted binary things from the Internet. More info here: http://tk-blog.blogspot.co.uk/2009/02/relro-not-so-well-known-memory.html
I know you can do this for all exectuables using something like https://github.com/GNOME/sysprof/blob/52bc856be44e52480eb91dca922abf4444e30ac4/meson.build#L62-L65 but it makes sense to me to have some kind of
executable()argument to specify the security level. Either something as low level asrelro : "full"or something high level likehardening: "full"would be fine, the latter could also enable a different set of stack protection options too.Thanks again.
The text was updated successfully, but these errors were encountered: