On Fri, Aug 26, 2016 at 9:06 AM, Pedro Giffuni <p...@freebsd.org> wrote: > > > On 08/26/16 10:01, Warner Losh wrote: >> >> On Fri, Aug 26, 2016 at 8:36 AM, Ed Maste <ema...@freebsd.org> wrote: >>> >>> On 26 August 2016 at 10:18, Warner Losh <i...@bsdimp.com> wrote: >>>> >>>> >>>> So what's the summary of why we'd want to do that? What benefit does it >>>> bring? >>>> Sure, other folks do it, but why? >>> >>> >>> It's a relatively low cost technique to mitigate certain >>> vulnerabilities. rtld needs to write to some sections during load but >>> they don't need to be writeable after starting the program. relro >>> reorders the output sections so that they are grouped together, and >>> rtld remaps them read-only on start. This is often called "partial >>> relro." I don't know of any real downside to enabling it, other than >>> it could possibly break some strangely built third party software. >>> It's been enabled on other platforms for quite some time though and I >>> doubt we'd run into new issues. >>> >>> It doesn't bring a huge benefit by itself though; the PLT is still >>> writeable. Adding "-z now" to the linker invocation produces "full >>> relro" which makes the PLT read-only too. It has a negative impact on >>> process start-up time though. >> >> >> Sounds like this has implications for all the RTLD on all our >> architectures. Has this been tested across all of them? >> > > It affects anything ELF yes, but AFAICT the change is platform independent.
That's a different answer than 'it's been tested on all platforms and it's fine.' Warner _______________________________________________ freebsd-toolchain@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain To unsubscribe, send any mail to "freebsd-toolchain-unsubscr...@freebsd.org"
