From c3ad3c3bb87f22ca7b843118f79e9d1f20b34ec7 Mon Sep 17 00:00:00 2001 From: Fred Morcos Date: Thu, 28 Sep 2023 11:59:38 +0200 Subject: [PATCH] Meson: Better handling of relro and support full relro This changes the way relro is detected by avoiding the use of the linker's help text and instead relies on querying the compiler and linker for whether they support the specific arguments. --- .../hardening/global-offset-table/meson.build | 19 --------------- meson/hardening/meson.build | 24 ++++++++++++++++--- meson/hardening/relro-full/meson.build | 16 +++++++++++++ meson/hardening/relro/meson.build | 16 +++++++++++++ meson_options.txt | 1 + 5 files changed, 54 insertions(+), 22 deletions(-) delete mode 100644 meson/hardening/global-offset-table/meson.build create mode 100644 meson/hardening/relro-full/meson.build create mode 100644 meson/hardening/relro/meson.build diff --git a/meson/hardening/global-offset-table/meson.build b/meson/hardening/global-offset-table/meson.build deleted file mode 100644 index fceeec1a63..0000000000 --- a/meson/hardening/global-offset-table/meson.build +++ /dev/null @@ -1,19 +0,0 @@ -found_variant = false - -ld_help_result = run_command(cxx, '-Wl,-help', check: false) -if ld_help_result.returncode() != 0 - warning('Linker does not support help text output. ' + - 'Read-only global offset table will be disabled') -else - ld_help = ld_help_result.stdout().strip() - variants = ['relro', 'now'] - foreach variant: variants - if ld_help.contains('-z ' + variant) - found_variant = true - add_project_link_arguments('-Wl,-z', '-Wl,' + variant, language: ['c', 'cpp']) - endif - endforeach -endif - -hardening_features += [[found_variant, 'Read-only Global Offset Table']] -summary('Read-only GOT', found_variant, bool_yn: true, section: 'Hardening') diff --git a/meson/hardening/meson.build b/meson/hardening/meson.build index 0f72b055dd..2a0bc15bad 100644 --- a/meson/hardening/meson.build +++ b/meson/hardening/meson.build @@ -1,5 +1,4 @@ opt_hardening = get_option('hardening') - if opt_hardening.enabled() or opt_hardening.auto() hardening_features = [] @@ -15,7 +14,7 @@ if opt_hardening.enabled() or opt_hardening.auto() subdir('stack-prot') # Stack Protector subdir('stack-smashing-prot') # Stack-Smashing Protection subdir('fortify-source') # Fortify Source - subdir('global-offset-table') # Read-only Global Offset Table + subdir('relro') # RELRO foreach feature: hardening_features available = feature[0] @@ -25,7 +24,26 @@ if opt_hardening.enabled() or opt_hardening.auto() if opt_hardening.auto() warning(name + ' is disabled or not supported') else - error('Failing because ' + name + ' is not supported but hardening was explicitly requested') + error('Failing because ' + name + ' is not supported but hardening was requested') + endif + endif + endforeach +endif + +opt_full_hardening = get_option('hardening-full') +if opt_full_hardening.enabled() or opt_full_hardening.auto() + full_hardening_features = [] + subdir('relro-full') # Full RELRO + + foreach feature: full_hardening_features + available = feature[0] + name = feature[1] + + if not available + if opt_full_hardening.auto() + warning(name + ' is disabled or not supported') + else + error('Failing because ' + name + ' is not supported but full hardening was requested') endif endif endforeach diff --git a/meson/hardening/relro-full/meson.build b/meson/hardening/relro-full/meson.build new file mode 100644 index 0000000000..77738772c5 --- /dev/null +++ b/meson/hardening/relro-full/meson.build @@ -0,0 +1,16 @@ +have_full_relro = true +full_variants = [ + '-Wl,-z,defs', + '-Wl,-z,ibt,-z,shstk', +] + +foreach variant: full_variants + if cxx.has_link_argument(variant) + full_hardening_features += [[true, 'Full RELRO (' + variant + ')']] + add_project_link_arguments(variant, language: ['c', 'cpp']) + else + have_full_relro = false + endif +endforeach + +summary('Full RELRO', have_full_relro, bool_yn: true, section: 'Hardening') diff --git a/meson/hardening/relro/meson.build b/meson/hardening/relro/meson.build new file mode 100644 index 0000000000..23e57a6ade --- /dev/null +++ b/meson/hardening/relro/meson.build @@ -0,0 +1,16 @@ +have_relro = true +variants = [ + '-Wl,-z,relro', + '-Wl,-z,now', +] + +foreach variant: variants + if cxx.has_link_argument(variant) + hardening_features += [[true, 'RELRO (' + variant + ')']] + add_project_link_arguments(variant, language: ['c', 'cpp']) + else + have_relro = false + endif +endforeach + +summary('RELRO', have_relro, bool_yn: true, section: 'Hardening') diff --git a/meson_options.txt b/meson_options.txt index aa766dd7b6..02cc9778da 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,5 +1,6 @@ option('lua', type: 'combo', choices: ['auto', 'luajit', 'lua'], value: 'auto', description: 'Lua implementation to use') option('hardening', type: 'feature', value: 'auto', description: 'Compiler security checks') +option('hardening-full', type: 'feature', value: 'auto', description: 'Compiler security checks with a performance penalty') option('fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG') option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers') -- 2.47.2