From: Fred Morcos Date: Thu, 28 Sep 2023 09:59:38 +0000 (+0200) Subject: Meson: Better handling of relro and support full relro X-Git-Tag: rec-5.1.0-alpha1~80^2~102 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3ad3c3bb87f22ca7b843118f79e9d1f20b34ec7;p=thirdparty%2Fpdns.git Meson: Better handling of relro and support full relro This changes the way relro is detected by avoiding the use of the linker's help text and instead relies on querying the compiler and linker for whether they support the specific arguments. --- diff --git a/meson/hardening/global-offset-table/meson.build b/meson/hardening/global-offset-table/meson.build deleted file mode 100644 index fceeec1a63..0000000000 --- a/meson/hardening/global-offset-table/meson.build +++ /dev/null @@ -1,19 +0,0 @@ -found_variant = false - -ld_help_result = run_command(cxx, '-Wl,-help', check: false) -if ld_help_result.returncode() != 0 - warning('Linker does not support help text output. ' + - 'Read-only global offset table will be disabled') -else - ld_help = ld_help_result.stdout().strip() - variants = ['relro', 'now'] - foreach variant: variants - if ld_help.contains('-z ' + variant) - found_variant = true - add_project_link_arguments('-Wl,-z', '-Wl,' + variant, language: ['c', 'cpp']) - endif - endforeach -endif - -hardening_features += [[found_variant, 'Read-only Global Offset Table']] -summary('Read-only GOT', found_variant, bool_yn: true, section: 'Hardening') diff --git a/meson/hardening/meson.build b/meson/hardening/meson.build index 0f72b055dd..2a0bc15bad 100644 --- a/meson/hardening/meson.build +++ b/meson/hardening/meson.build @@ -1,5 +1,4 @@ opt_hardening = get_option('hardening') - if opt_hardening.enabled() or opt_hardening.auto() hardening_features = [] @@ -15,7 +14,7 @@ if opt_hardening.enabled() or opt_hardening.auto() subdir('stack-prot') # Stack Protector subdir('stack-smashing-prot') # Stack-Smashing Protection subdir('fortify-source') # Fortify Source - subdir('global-offset-table') # Read-only Global Offset Table + subdir('relro') # RELRO foreach feature: hardening_features available = feature[0] @@ -25,7 +24,26 @@ if opt_hardening.enabled() or opt_hardening.auto() if opt_hardening.auto() warning(name + ' is disabled or not supported') else - error('Failing because ' + name + ' is not supported but hardening was explicitly requested') + error('Failing because ' + name + ' is not supported but hardening was requested') + endif + endif + endforeach +endif + +opt_full_hardening = get_option('hardening-full') +if opt_full_hardening.enabled() or opt_full_hardening.auto() + full_hardening_features = [] + subdir('relro-full') # Full RELRO + + foreach feature: full_hardening_features + available = feature[0] + name = feature[1] + + if not available + if opt_full_hardening.auto() + warning(name + ' is disabled or not supported') + else + error('Failing because ' + name + ' is not supported but full hardening was requested') endif endif endforeach diff --git a/meson/hardening/relro-full/meson.build b/meson/hardening/relro-full/meson.build new file mode 100644 index 0000000000..77738772c5 --- /dev/null +++ b/meson/hardening/relro-full/meson.build @@ -0,0 +1,16 @@ +have_full_relro = true +full_variants = [ + '-Wl,-z,defs', + '-Wl,-z,ibt,-z,shstk', +] + +foreach variant: full_variants + if cxx.has_link_argument(variant) + full_hardening_features += [[true, 'Full RELRO (' + variant + ')']] + add_project_link_arguments(variant, language: ['c', 'cpp']) + else + have_full_relro = false + endif +endforeach + +summary('Full RELRO', have_full_relro, bool_yn: true, section: 'Hardening') diff --git a/meson/hardening/relro/meson.build b/meson/hardening/relro/meson.build new file mode 100644 index 0000000000..23e57a6ade --- /dev/null +++ b/meson/hardening/relro/meson.build @@ -0,0 +1,16 @@ +have_relro = true +variants = [ + '-Wl,-z,relro', + '-Wl,-z,now', +] + +foreach variant: variants + if cxx.has_link_argument(variant) + hardening_features += [[true, 'RELRO (' + variant + ')']] + add_project_link_arguments(variant, language: ['c', 'cpp']) + else + have_relro = false + endif +endforeach + +summary('RELRO', have_relro, bool_yn: true, section: 'Hardening') diff --git a/meson_options.txt b/meson_options.txt index aa766dd7b6..02cc9778da 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,5 +1,6 @@ option('lua', type: 'combo', choices: ['auto', 'luajit', 'lua'], value: 'auto', description: 'Lua implementation to use') option('hardening', type: 'feature', value: 'auto', description: 'Compiler security checks') +option('hardening-full', type: 'feature', value: 'auto', description: 'Compiler security checks with a performance penalty') option('fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG') option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')