On Tue, Apr 5, 2022 at 5:24 AM Marcus Meissner <meissner@suse.de> wrote:
Hi folks,
Security hardening of Linux systems suggests marking ELF binary sections as much read-only as it gets.
A part of this binary hardening is making the ELF relocations in binaries and libraries read-only to avoid them being overwritten and used for attacks.
SUSE has built everything with "Partial RELRO" for a long time (via a default in binutils). (-z relro)
We did not yet do "Full RELRO" (-z now) as we feared the amount of integration work.
However as this is industry standard now, we have started the integration and will push it to main Factory / Tumbleweed soon.
It is being implemented by:
- The SUSE binutils "ld" queries the "SUSE_ZNOW" environment variable. If it is present and not "0", it will enable "-z now".
- The post-build-checks injects via /etc/profile.d/build-system.sh the environment variable SUSE_ZNOW=1 into all RPM build chroots (that use post-build-checks, which should be all of them).
- Packages can still deselect it.
Either: - use linker option "-z lazy". - or export SUSE_ZNOW=0 in the %build section.
Currently only "xorg-x11-server" and "python-atspi:tests" needed to do this in our staging.
+1 ,, so far I have seen the x server does not work (as you mention above) probably other components that load dsos in funky ways will also break. You should also note that you will not be able to interpose symbols anymore, you need to relink everything again to do so. You might want also not to pay the price of symbol interposition in the first place..since it wont work..at compile time by using -fno-plt and -fno-semantic-interposition.