[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO
Arnout Vandecappelle
arnout at mind.be
Tue Mar 12 08:57:34 UTC 2019
On 12/03/2019 07:22, yann.morin at orange.com wrote:
> Arnout, All,
>
> On 2019-03-12 01:36 +0100, Arnout Vandecappelle spake thusly:
>> On 11/03/2019 07:48, yann.morin at orange.com wrote:
>>> From: "Yann E. MORIN" <yann.morin at orange.com>
>>>
>>> Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
>>> keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
>>
>> I just checked on my host, and a simple test program compiled with -no-pie
>> -Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.
>
> Still, I'd prefer tokeep the select to keep the current behaviour. We
> can drop it later on if someone has a need for it.
>
>> I guess it's historical accident that the global full relro and PIE are
>> typically introduced together. From what I understand, they are pretty much
>> independent.
>
> I talked with Matt on IRC about this the other day, and his reasoning
> for doing so as it is was to mimick the way done on distros (Debian,
> FC?), so it is not a complete accident either. ;-)
That's what I meant: it's historical accident that Fedora [1] and Debian [2]
started enabling -z,now and -pie at the same time. On their respective wiki
pages that discuss enabling these things, they are in fact treated separately.
Regards,
Arnout
[1] https://fedoraproject.org/wiki/Security_Features_Matrix#Userspace_Hardening
[2] https://wiki.debian.org/Hardening#User_Space
More information about the buildroot
mailing list