Enable full RELRO by default, expose in std.build #11825
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Full RELRO is a hardening feature that makes it impossible to perform
certian attacks involving overwriting parts of the Global Offset Table
to invoke arbitrary code.
It requires all symbols to be resolved before execution of the program
starts which may have an impact on startup time. However most if
not all popular Linux distributions enable full RELRO by default for
all binaries and this does not seem to make a noticeable difference
in practice.
"Partial RELRO" is equivalent to
-z relro -z lazy
."Full RELRO" is equivalent to
-z relro -z now
.LLD defaults to
-z relro -z lazy
, which means Zig's current-z relro
option has no effect on LLD's behavior.
The changes made by this commit are as follows:
-z relro
is the default and add-z norelro
.-z now
to LLD by default to enable full RELRO by default.-z lazy
to disable passing-z now
.This was prompted by Arch Linux maintainers asking me how to enable RELRO for my software.
Closes #6977