this is my template for most Linux projects (except when "something else" is needed :)) ... please don't copy paste without certainty of what it does:
CFLAGS_BASE := -c -O2 -Wall -Werror -Wpedantic -pipe $(CFLAGS)
CFLAGS_HARD := -fPIE -Wformat-security -fstack-protector-strong --param=ssp-buffer-size=4 -fcf-protection -Wimplicit-fallthrough -D_FORTIFY_SOURCE=2
CFLAGS_DEBUG := -g3 -gdwarf-2
CFLAGS_RELEASE := -s -fomit-frame-pointer -march=native
LDFLAGS := -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,-pie -Wl,--no-copy-dt-needed-entries
LDFLAGS_HMALLOC := -L/usr/local/lib -lhardened_malloc # see https://github.com/GrapheneOS/hardened_malloc
I happened to be looking at this for Go binaries last night and it seems that -buildmode=pie gets you part of the way there. Was trying to see if full relro was possible with CGO_ENABLED=0 but it seems only partial was achievable in the few hours I spent.
... please don't copy paste without certainty of what it does
Genuinely interested, not holding you accountable for my computer exploding.
$ rpm -q hardening-check
hardening-check-2.6-1.el7.noarch
$ rpm -qi hardening-check | grep URL
URL : http://packages.debian.org/hardening-wrapper
$ hardening-check /bin/ls
/bin/ls:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
CFLAGS='-O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fpic -pie' \
LDFLAGS='-Wl,-z,relro,-z,now -Wl,-z,now' ./configure
* -fPIE : Compile as a 'position-independent executable'. This allows code and data sections of the executable to be installed at random locations in the address space, and comes with a mild cost due to needing extra indirections to handle position-independent code.
* -Wformat-security: adds some extra warnings around possible misuse of printf and scanf.
* -fstack-protector-strong --param=ssp-buffer-size=4: adds extra code in functions to check that stack buffer overflows likely haven't occurred. The second bit does it for every variable at least 4 bytes in size.
* -fcf-protection: this enables Intel CET instructions to check control flow integrity. This essentially causes the hardware to have a shadow stack and other tracking bits to prevent ROP attacks from occurring, but it does require very new hardware to work correctly.
* -Wimplicit-fallthrough: warns if switch cases don't have breaks.
* -D_FORTIFY_SOURCE=2: this causes several basic C functions (such as memcpy) in glibc to compile in a somewhat more secure manner, namely aborting the program if it can detect that it's going to overflow the bounds of an object. The '2' level adds extra checks that prohibits some legal C behavior (for example, buffer overflows that run into a different subobject of the same object).
* -s: Strip the resulting binary after linking.
* -fomit-frame-pointer: This is already the default on x86-64, and maybe ARM/AArch64 as well (I don't have those ABIs thoroughly memorized).
* -Wl,-z,now: Dynamic symbol resolution has to happen at load time rather than lazily. This can cause issues if you're relying on a symbol to be provided by a shared library you're loading dynamically (not a common case, as most people are liable to use dladdr instead).
* -Wl,-z,relro: Make sections that need to be writable only for dynamic relocations be read-only post-relocation-fixup phase.
* -Wl,-z,defs: Make it a linker error if there's a symbol that isn't available in the main executable/library you're building or any of the dynamic libraries you've linked. (Like -Wl,-z,now, this is again something that is unlikely to cause you issues).
* -Wl,-pie: This again enables position-independent executables (and should be triggered by -fPIE, so I'm somewhat curious why -fPIE isn't being passed here instead of -Wl,-pie).
* -Wl,--no-copy-dt-needed-entries: The secondary effect here is likely what is intended. If you're linking against liba.so, and liba.so depends on libb.so, this prevents the application from using libb.so to provide symbols, at least for the purposes of deciding whether to cause an error for -Wl,-z,defs (it should still load those symbols at runtime anyways).
I also only use -fstack-protector-strong and -fcf-protection as a fallback in case -fstack-protector-all and -fcf-protection=full cause crashes.
I listed some more in https://news.ycombinator.com/item?id=29191311
You can also add fsanitize=shadow-stack (ARM) or fsanitize=safe-stack (x86_64) for stronger protection than -fstack-protector-all. This will cause many programs to crash.
One of my favorite examples of bypassing relro is the sudo exploit that took advantage of a simple format string vulnerability. It was downplayed at the time by the sudo maintainer as not easy to exploit due to FORTIFY. But you could get full root just doing a very simple payload, because sudo already calls system(/bin/sh) and FORTIFY itself was easily exploitable. [1][2]
1: https://www.sudo.ws/alerts/sudo_debug.html
2: https://www.vnsecurity.net/research/2012/02/16/exploiting-su...
This might not be exactly the same as how it is implemented in Linux but at least to me seeing all the code involved from start to finish is a much better way to understand the concept.
> Using full RELRO has a slight performance impact during application startup (as the linker has to populate the GOT entries before entering the main function).
In general, the difference for a large application is non-negligible and one should carefully consider the impact before enabling this feature by default.
And because of that they enabled it for all binaries on Fedora. The fedora users are now testing whether it's possible to activate it by default.
Naturally one might consider it doesn't matter for the use case at hand.