On Fri, Aug 26, 2016 at 8:36 AM, Ed Maste <[email protected]> wrote: > On 26 August 2016 at 10:18, Warner Losh <[email protected]> wrote: >> >> So what's the summary of why we'd want to do that? What benefit does it >> bring? >> Sure, other folks do it, but why? > > It's a relatively low cost technique to mitigate certain > vulnerabilities. rtld needs to write to some sections during load but > they don't need to be writeable after starting the program. relro > reorders the output sections so that they are grouped together, and > rtld remaps them read-only on start. This is often called "partial > relro." I don't know of any real downside to enabling it, other than > it could possibly break some strangely built third party software. > It's been enabled on other platforms for quite some time though and I > doubt we'd run into new issues. > > It doesn't bring a huge benefit by itself though; the PLT is still > writeable. Adding "-z now" to the linker invocation produces "full > relro" which makes the PLT read-only too. It has a negative impact on > process start-up time though.
Sounds like this has implications for all the RTLD on all our architectures. Has this been tested across all of them? Warner _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain To unsubscribe, send any mail to "[email protected]"
