From 33817794268b5453794f98ee752403ff44693112 Mon Sep 17 00:00:00 2001
From: Isaac Freund <mail@isaacfreund.com>
Date: Wed, 8 Jun 2022 14:33:11 +0200
Subject: linker: Enable full RELRO by default

Full RELRO is a hardening feature that makes it impossible to perform
certian attacks involving overwriting parts of the Global Offset Table
to invoke arbitrary code.

It requires all symbols to be resolved before execution of the program
starts which may have an impact on startup time. However most if
not all popular Linux distributions enable full RELRO by default for
all binaries and this does not seem to make a noticeable difference
in practice.

"Partial RELRO" is equivalent to `-z relro -z lazy`.
"Full RELRO" is equivalent to `-z relro -z now`.

LLD defaults to `-z relro -z lazy`, which means Zig's current `-z relro`
option has no effect on LLD's behavior.

The changes made by this commit are as follows:

- Document that `-z relro` is the default and add `-z norelro`.
- Pass `-z now` to LLD by default to enable full RELRO by default.
- Add `-z lazy` to disable passing `-z now`.
---
 src/Compilation.zig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/Compilation.zig')

diff --git a/src/Compilation.zig b/src/Compilation.zig
index 04e9d97719..7d686b2f40 100644
--- a/src/Compilation.zig
+++ b/src/Compilation.zig
@@ -763,8 +763,8 @@ pub const InitOptions = struct {
     linker_z_defs: bool = false,
     linker_z_origin: bool = false,
     linker_z_noexecstack: bool = false,
-    linker_z_now: bool = false,
-    linker_z_relro: bool = false,
+    linker_z_now: bool = true,
+    linker_z_relro: bool = true,
     linker_z_nocopyreloc: bool = false,
     linker_tsaware: bool = false,
     linker_nxcompat: bool = false,
-- 
cgit v1.2.3