From owner-svn-src-all@freebsd.org  Tue Nov  6 15:52:51 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BDC2F1128333;
 Tue,  6 Nov 2018 15:52:51 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4C3EA7D142;
 Tue,  6 Nov 2018 15:52:51 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 29C9FC64;
 Tue,  6 Nov 2018 15:52:51 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wA6FqpC3017593;
 Tue, 6 Nov 2018 15:52:51 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wA6FqoCM017589;
 Tue, 6 Nov 2018 15:52:50 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201811061552.wA6FqoCM017589@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Tue, 6 Nov 2018 15:52:50 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r340186 - in head: share/mk tools/build/options
X-SVN-Group: head
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: in head: share/mk tools/build/options
X-SVN-Commit-Revision: 340186
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4C3EA7D142
X-Spamd-Result: default: False [-103.09 / 200.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 ALLOW_DOMAIN_WHITELIST(-100.00)[FreeBSD.org];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.991,0];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all];
 DMARC_NA(0.00)[FreeBSD.org]; RCVD_COUNT_THREE(0.00)[4];
 MX_GOOD(-0.01)[cached: mx1.FreeBSD.org];
 NEURAL_HAM_SHORT(-0.99)[-0.988,0]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 15:52:52 -0000

Author: emaste
Date: Tue Nov  6 15:52:49 2018
New Revision: 340186
URL: https://svnweb.freebsd.org/changeset/base/340186

Log:
  Add a WITH_BIND_NOW build knob
  
  The linker's -z now flag sets the DF_BIND_NOW flag, which signals to the
  runtime loader that all relocation processing should be performed at
  process startup rather than on demand.  In combination with lld's
  default of enabling relro this causes the GOT to be made read-only when
  the process starts, preventing straightforward GOT overwrite attacks.
  
  Shawn Webb discovered a failure on HardenedBSD with BIND_NOW and ifunc
  use, which resulted in my rtld fix in r340137.  Add a BIND_NOW knob as
  it is trivial to do so and is a useful ELF hardening feature.  This
  change is equivalent to HardenedBSD's but not identical as there are
  other diffs/conflicts nearby.
  
  Note that our ELF Tool Chain readelf does not currently decode the
  DF_BIND_NOW flag - see PR232983.
  
  Reviewed by:	brooks
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D17846

Added:
  head/tools/build/options/WITHOUT_BIND_NOW   (contents, props changed)
  head/tools/build/options/WITH_BIND_NOW   (contents, props changed)
Modified:
  head/share/mk/bsd.lib.mk
  head/share/mk/bsd.opts.mk
  head/share/mk/bsd.prog.mk

Modified: head/share/mk/bsd.lib.mk
==============================================================================
--- head/share/mk/bsd.lib.mk	Tue Nov  6 15:29:44 2018	(r340185)
+++ head/share/mk/bsd.lib.mk	Tue Nov  6 15:52:49 2018	(r340186)
@@ -69,6 +69,10 @@ TAGS+=		package=${PACKAGE:Uruntime}
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline

Modified: head/share/mk/bsd.opts.mk
==============================================================================
--- head/share/mk/bsd.opts.mk	Tue Nov  6 15:29:44 2018	(r340185)
+++ head/share/mk/bsd.opts.mk	Tue Nov  6 15:52:49 2018	(r340186)
@@ -69,6 +69,7 @@ __DEFAULT_YES_OPTIONS = \
     WARNS
 
 __DEFAULT_NO_OPTIONS = \
+    BIND_NOW \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \

Modified: head/share/mk/bsd.prog.mk
==============================================================================
--- head/share/mk/bsd.prog.mk	Tue Nov  6 15:29:44 2018	(r340185)
+++ head/share/mk/bsd.prog.mk	Tue Nov  6 15:52:49 2018	(r340186)
@@ -34,6 +34,10 @@ PROG=	${PROG_CXX}
 MK_DEBUG_FILES=	no
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline

Added: head/tools/build/options/WITHOUT_BIND_NOW
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tools/build/options/WITHOUT_BIND_NOW	Tue Nov  6 15:52:49 2018	(r340186)
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Do not build all binaries with the
+.Dv DF_BIND_NOW
+flag set.
+Run-time relocation processing will be performed on demand.

Added: head/tools/build/options/WITH_BIND_NOW
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/tools/build/options/WITH_BIND_NOW	Tue Nov  6 15:52:49 2018	(r340186)
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Build all binaries with the
+.Dv DF_BIND_NOW
+flag set to indicate that the run-time loader should perform all relocation
+processing at process startup rather than on demand.