From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by sourceware.org (Postfix) with ESMTPS id CDC753856DDC for ; Tue, 3 May 2022 14:54:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org CDC753856DDC Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 11BA31F747; Tue, 3 May 2022 14:54:35 +0000 (UTC) Received: from wotan.suse.de (wotan.suse.de [10.160.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 0D9DB2C142; Tue, 3 May 2022 14:54:35 +0000 (UTC) Received: by wotan.suse.de (Postfix, from userid 10510) id 03A2A656A; Tue, 3 May 2022 14:54:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by wotan.suse.de (Postfix) with ESMTP id 02874655E; Tue, 3 May 2022 14:54:35 +0000 (UTC) Date: Tue, 3 May 2022 14:54:34 +0000 (UTC) From: Michael Matz To: Nick Clifton cc: Binutils Subject: Re: binutils as policy checker (was: RFC: Add a linker warning when creating segments with RWX permissions) In-Reply-To: <79ba6ad0-7bb6-be2c-2672-6924862c29de@redhat.com> Message-ID: References: <878rrsw074.fsf@redhat.com> <79ba6ad0-7bb6-be2c-2672-6924862c29de@redhat.com> User-Agent: Alpine 2.20 (LSU 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2022 14:54:36 -0000 Hey, On Thu, 28 Apr 2022, Nick Clifton via Binutils wrote: > * There are now configure options which can turn off the generation > of linker warnings about the creation of executable segments and > the creation of executable stacks. By default however not using > these configure options will result in the creation of a linker > with all of the warnings enabled. > > * There is new linker command line option: --no-warn-rwx-segments > which disables the warnings about executable segments. > > * There are tests for the new features, plus extra regexps in the > testsuite's pruning proc to remove the warnings from the linker's > output for normal tests. > > * The creation of a TLS segment with eXecute permission will trigger > a warning, regardless of whether it has the read and/or write > permissions set. > > * There is a new configure time option which will disable the > creation of an executable stack simply because an input file is > missing a .note-GNU-stack section (for those architectures where > such a creation is the normal behaviour). This option is not > enabled by default however. At least not yet. > > I think that this represents the best compromise between helping to > promote secure builds whilst also allowing toolchain creators and > program builders the option to disable the features if they wish. > > Any comments ? Works for me. Ciao, Michael.