Merge #17686: build: add -bind_at_load to macOS hardened LDFLAGS

c78b123 build: add -bind_at_load to hardened LDFLAGS (fanquake)

Pull request description:

  This performs the same function as `-Wl,-z,now`, except for ld on macOS.

  You can check the binaries using `otool -l`, and looking for the `LC_DYLD_INFO_ONLY` section; `lazy_bind_off` and `lazy_bind_size` should both be 0.

  This seems to be the case with our current release binaries. However we can make the check, and applying the flag explicit in configure.

  man ld:
  ```bash
  -bind_at_load
  Sets a bit in the mach header of the resulting binary which tells dyld
  to bind all symbols when the binary is loaded, rather than lazily.
  ```
  TODO:
  - [ ] Follow up with `MH_BINDATLOAD` flag.

ACKs for top commit:
  theuni:
    ACK c78b123.

Tree-SHA512: 12259558b84f7e3d75d6fcde63b517685e42b18fcf8e8cfcf347483c5ba089d3b4b6d330e7b7f61f83a328fe4d141b771e8e52ddee9cac6da87dfc073ab1183d

configure.ac

@@ -778,6 +778,7 @@ dnl this flag screws up non-darwin gcc even when the check fails. special-case i
 if test x$TARGET_OS = xdarwin; then
   AX_CHECK_LINK_FLAG([[-Wl,-dead_strip]], [LDFLAGS="$LDFLAGS -Wl,-dead_strip"])
   AX_CHECK_LINK_FLAG([[-Wl,-dead_strip_dylibs]], [LDFLAGS="$LDFLAGS -Wl,-dead_strip_dylibs"])
+  AX_CHECK_LINK_FLAG([[-Wl,-bind_at_load]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"])
 fi
 
 AC_CHECK_HEADERS([endian.h sys/endian.h byteswap.h stdio.h stdlib.h unistd.h strings.h sys/types.h sys/stat.h sys/select.h sys/prctl.h sys/sysctl.h vm/vm_param.h sys/vmmeter.h sys/resources.h])