This repository was archived by the owner on Jan 23, 2023. It is now read-only.
Port from 5.0: Fix relro, now, and PIE for Libraries#43036
Merged
Anipik merged 5 commits intodotnet:release/3.1from Jun 5, 2021
ivdiazsa:Port_DockF
Merged
Port from 5.0: Fix relro, now, and PIE for Libraries#43036Anipik merged 5 commits intodotnet:release/3.1from ivdiazsa:Port_DockF
Anipik merged 5 commits intodotnet:release/3.1from
ivdiazsa:Port_DockF
Conversation
janvorli
reviewed
Apr 9, 2021
src/Native/Unix/CMakeLists.txt
Outdated
| set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-bind_at_load") | ||
| else (CMAKE_SYSTEM_NAME STREQUAL Darwin) | ||
| add_compile_options($<$<COMPILE_LANGUAGE:ASM>:-Wa,--noexecstack>) | ||
| set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1 -Wl,-z,relro,-z,now") |
janvorli
reviewed
Apr 13, 2021
| add_definitions(-D_BSD_SOURCE) # required for getline | ||
| set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") | ||
| set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld -Xlinker --build-id=sha1") | ||
| set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld") |
Member
There was a problem hiding this comment.
I've just noticed we are missing the
set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fuse-ld=lld")here
Member
|
This will need the shiproom template? |
Member
|
yeah @ivdiazsa was going to follow up in the .net core ASK mode channel and create the template. |
|
Is this PR targeting current release? If yes we need approve and Servicing-approved tag. |
jeffschwMSFT
approved these changes
May 6, 2021
Member
jeffschwMSFT
left a comment
There was a problem hiding this comment.
Approved. I will take for consideration in 3.1.x
cc @blowdart and @GrabYourPitchforks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Port Description
This is a direct port from one part of PR 685 in the runtime repo. This one was added during .NET Core 5.0 development but there is a customer need to also have it in the .NET Core 3.1 release. The other part is in the core-setup repo, PR 9125.
This change adds the missing
-z,relroand-z,nowcompile options, as well as the position independent related code and-pielinker option to the Native Unix libraries. Additionally, some operating systems require other flags, which were also added:-fuse-ld=lld-Wl,-bind_at_loadCustomer Impact
Having these flags enabled provides the built binaries with an additional layer of security, which has become a necessary requirement for some compliance checks, as well as safer applications overall. This port was requested by teams in Azure.
Regression
This was not a regression.
Testing
The checksec tool was used to verify the executables and shared objects had been indeed built with
PIEandFull RELROenabled.Risk
The risk of this is pretty low, since it's been well tested in the current
mainbranch, as well as .NET 5.0 releases.