linker: Enable full RELRO by default

Full RELRO is a hardening feature that makes it impossible to perform certian attacks involving overwriting parts of the Global Offset Table to invoke arbitrary code. It requires all symbols to be resolved before execution of the program starts which may have an impact on startup time. However most if not all popular Linux distributions enable full RELRO by default for all binaries and this does not seem to make a noticeable difference in practice. "Partial RELRO" is equivalent to `-z relro -z lazy`. "Full RELRO" is equivalent to `-z relro -z now`. LLD defaults to `-z relro -z lazy`, which means Zig's current `-z relro` option has no effect on LLD's behavior. The changes made by this commit are as follows: - Document that `-z relro` is the default and add `-z norelro`. - Pass `-z now` to LLD by default to enable full RELRO by default. - Add `-z lazy` to disable passing `-z now`.
miguelgargallo · Jun 8, 2022 · 3381779 · 3381779
1 parent 61844b6
commit 3381779
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 11 deletions.
diff --git a/src/Compilation.zig b/src/Compilation.zig
@@ -763,8 +763,8 @@ pub const InitOptions = struct {
     linker_z_defs: bool = false,
     linker_z_origin: bool = false,
     linker_z_noexecstack: bool = false,
-    linker_z_now: bool = false,
-    linker_z_relro: bool = false,
+    linker_z_now: bool = true,
+    linker_z_relro: bool = true,
     linker_z_nocopyreloc: bool = false,
     linker_tsaware: bool = false,
     linker_nxcompat: bool = false,

diff --git a/src/link/Elf.zig b/src/link/Elf.zig
@@ -1517,12 +1517,12 @@ fn linkWithLLD(self: *Elf, comp: *Compilation, prog_node: *std.Progress.Node) !v
             try argv.append("noexecstack");
         }
         if (self.base.options.z_now) {
-            try argv.append("-z");
-            try argv.append("now");
+            // LLD defaults to -zlazy
+            try argv.append("-znow");
         }
-        if (self.base.options.z_relro) {
-            try argv.append("-z");
-            try argv.append("relro");
+        if (!self.base.options.z_relro) {
+            // LLD defaults to -zrelro
+            try argv.append("-znorelro");
         }
 
         if (getLDMOption(target)) |ldm| {

diff --git a/src/main.zig b/src/main.zig
@@ -434,8 +434,10 @@ const usage_build_generic =
     \\    origin                       Indicate that the object must have its origin processed
     \\    nocopyreloc                  Disable the creation of copy relocations
     \\    noexecstack                  Indicate that the object requires an executable stack
-    \\    now                          Force all relocations to be processed on load
-    \\    relro                        Force all relocations to be resolved and be read-only on load
+    \\    now                          (default) Force all relocations to be processed on load
+    \\    lazy                         Don't force all relocations to be processed on load
+    \\    relro                        (default) Force all relocations to be read-only after processing
+    \\    norelro                      Don't force all relocations to be read-only after processing
     \\  -dynamic                       Force output to be dynamically linked
     \\  -static                        Force output to be statically linked
     \\  -Bsymbolic                     Bind global references locally
@@ -655,8 +657,8 @@ fn buildOutputType(
     var linker_z_defs = false;
     var linker_z_origin = false;
     var linker_z_noexecstack = false;
-    var linker_z_now = false;
-    var linker_z_relro = false;
+    var linker_z_now = true;
+    var linker_z_relro = true;
     var linker_tsaware = false;
     var linker_nxcompat = false;
     var linker_dynamicbase = false;
@@ -1209,8 +1211,12 @@ fn buildOutputType(
                             linker_z_noexecstack = true;
                         } else if (mem.eql(u8, z_arg, "now")) {
                             linker_z_now = true;
+                        } else if (mem.eql(u8, z_arg, "lazy")) {
+                            linker_z_now = false;
                         } else if (mem.eql(u8, z_arg, "relro")) {
                             linker_z_relro = true;
+                        } else if (mem.eql(u8, z_arg, "norelro")) {
+                            linker_z_relro = false;
                         } else {
                             warn("unsupported linker extension flag: -z {s}", .{z_arg});
                         }
@@ -1691,8 +1697,12 @@ fn buildOutputType(
                         linker_z_noexecstack = true;
                     } else if (mem.eql(u8, z_arg, "now")) {
                         linker_z_now = true;
+                    } else if (mem.eql(u8, z_arg, "lazy")) {
+                        linker_z_now = false;
                     } else if (mem.eql(u8, z_arg, "relro")) {
                         linker_z_relro = true;
+                    } else if (mem.eql(u8, z_arg, "norelro")) {
+                        linker_z_relro = false;
                     } else {
                         warn("unsupported linker extension flag: -z {s}", .{z_arg});
                     }