From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Subject: [PATCH 3/4] Disable lazy binding by default
Date: Thu, 29 Jun 2023 14:41:46 -0400 [thread overview]
Message-ID: <20230629184156.2789945-4-siddhesh@sourceware.org> (raw)
In-Reply-To: <20230629184156.2789945-1-siddhesh@sourceware.org>
Lazy binding is a key security feature and is enabled by all major
distributions by default. Default to this more secure option and flip
the flag to allow disabling it if needed.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
INSTALL | 10 +++++-----
NEWS | 3 +++
configure | 4 ++--
configure.ac | 6 +++---
manual/install.texi | 9 ++++-----
5 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/INSTALL b/INSTALL
index f02358e933..88ffe7748f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -205,11 +205,11 @@ if ‘CFLAGS’ is specified it must enable optimization. For example:
of routines called directly from assembler are excluded from this
protection. This option is enabled by default and set to ‘strong’.
-‘--enable-bind-now’
- Disable lazy binding for installed shared objects and programs.
- This provides additional security hardening because it enables full
- RELRO and a read-only global offset table (GOT), at the cost of
- slightly increased program load times.
+‘--disable-bind-now’
+ Enable lazy binding for installed shared objects and programs.
+ Lazy binding may improve program load times but it will disable
+ security hardening that enables full RELRO and a read-only global
+ offset table (GOT).
‘--enable-pt_chown’
The file ‘pt_chown’ is a helper binary for ‘grantpt’ (*note
diff --git a/NEWS b/NEWS
index 47ec0b741c..264fad5d86 100644
--- a/NEWS
+++ b/NEWS
@@ -52,6 +52,9 @@ Major new features:
default. This may be overridden by using the --enable-stack-protector
configure option.
+* Lazy binding is now disabled by default and can be overridden with the
+ --disable-bind-now configure flag.
+
Deprecated and removed features, and other changes affecting compatibility:
* In the Linux kernel for the hppa/parisc architecture some of the
diff --git a/configure b/configure
index 863621cabf..6d4b05df18 100755
--- a/configure
+++ b/configure
@@ -1462,7 +1462,7 @@ Optional Features:
hardcode newly built glibc path in tests
[default=no]
--disable-hidden-plt do not hide internal function calls to avoid PLT
- --enable-bind-now disable lazy relocations in DSOs
+ --disable-bind-now enable lazy relocations in DSOs
--enable-stack-protector=[yes|no|all|strong]
Use -fstack-protector[-all|-strong] to detect glibc
buffer overflows
@@ -4448,7 +4448,7 @@ if test ${enable_bind_now+y}
then :
enableval=$enable_bind_now; bindnow=$enableval
else $as_nop
- bindnow=no
+ bindnow=yes
fi
diff --git a/configure.ac b/configure.ac
index d85452b3b3..6fc72df700 100644
--- a/configure.ac
+++ b/configure.ac
@@ -213,10 +213,10 @@ if test "x$hidden" = xno; then
fi
AC_ARG_ENABLE([bind-now],
- AS_HELP_STRING([--enable-bind-now],
- [disable lazy relocations in DSOs]),
+ AS_HELP_STRING([--disable-bind-now],
+ [enable lazy relocations in DSOs]),
[bindnow=$enableval],
- [bindnow=no])
+ [bindnow=yes])
AC_SUBST(bindnow)
if test "x$bindnow" = xyes; then
AC_DEFINE(BIND_NOW)
diff --git a/manual/install.texi b/manual/install.texi
index b1aa5eb60c..ae43dc51ac 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -231,11 +231,10 @@ options to detect stack overruns. Only the dynamic linker and a small
number of routines called directly from assembler are excluded from this
protection. This option is enabled by default and set to @option{strong}.
-@item --enable-bind-now
-Disable lazy binding for installed shared objects and programs. This
-provides additional security hardening because it enables full RELRO
-and a read-only global offset table (GOT), at the cost of slightly
-increased program load times.
+@item --disable-bind-now
+Enable lazy binding for installed shared objects and programs. Lazy binding
+may improve program load times but it will disable security hardening that
+enables full RELRO and a read-only global offset table (GOT).
@pindex pt_chown
@findex grantpt
--
2.41.0
next prev parent reply other threads:[~2023-06-29 18:42 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-29 18:41 [PATCH 0/4] Update default build configuration Siddhesh Poyarekar
2023-06-29 18:41 ` [PATCH 1/4] configure: Use autoconf 2.71 Siddhesh Poyarekar
2023-06-29 19:48 ` Joseph Myers
2023-06-29 19:56 ` Siddhesh Poyarekar
2023-06-29 20:03 ` Siddhesh Poyarekar
2023-06-29 20:07 ` Joseph Myers
2023-06-29 22:16 ` Zack Weinberg
2023-06-29 18:41 ` [PATCH 2/4] configure: Default --enable-stack-protector to strong Siddhesh Poyarekar
2023-06-29 18:41 ` Siddhesh Poyarekar [this message]
2023-06-29 21:54 ` [PATCH 3/4] Disable lazy binding by default Michael Hudson-Doyle
2023-06-29 22:16 ` Siddhesh Poyarekar
2023-06-29 18:41 ` [PATCH 4/4] configure: Disable building libcrypt " Siddhesh Poyarekar
2023-06-29 18:45 ` Dmitry V. Levin
2023-06-29 19:02 ` Siddhesh Poyarekar
2023-07-14 6:21 ` Sam James
2023-07-17 15:24 ` Siddhesh Poyarekar
2023-07-17 17:26 ` Sam James
2023-06-30 1:42 ` [PATCH v2 0/4] Update default build configuration Siddhesh Poyarekar
2023-06-30 1:42 ` [PATCH v2 1/4] configure: Use autoconf 2.71 Siddhesh Poyarekar
2023-07-14 21:00 ` Carlos O'Donell
2023-07-17 14:21 ` [PATCH v3] " Siddhesh Poyarekar
2023-07-17 14:46 ` Siddhesh Poyarekar
2023-06-30 1:42 ` [PATCH v2 2/4] configure: Default --enable-stack-protector to strong Siddhesh Poyarekar
2023-07-13 9:51 ` Florian Weimer
2023-07-17 14:55 ` Siddhesh Poyarekar
2023-07-17 15:45 ` Florian Weimer
2023-07-17 15:52 ` Siddhesh Poyarekar
2023-08-03 10:06 ` Florian Weimer
2023-06-30 1:42 ` [PATCH v2 3/4] configure: Disable lazy binding by default Siddhesh Poyarekar
2023-07-13 9:38 ` Florian Weimer
2023-07-17 14:57 ` Siddhesh Poyarekar
2023-07-17 15:30 ` Florian Weimer
2023-07-17 15:55 ` Siddhesh Poyarekar
2023-07-18 16:25 ` Andreas K. Huettel
2023-06-30 1:42 ` [PATCH v2 4/4] configure: Disable building libcrypt " Siddhesh Poyarekar
2023-07-13 9:40 ` Florian Weimer
2023-07-14 4:16 ` Mark Harris
2023-07-17 15:13 ` Siddhesh Poyarekar
2023-07-17 16:44 ` [PATCH v3] " Siddhesh Poyarekar
2023-07-17 17:18 ` Andreas Schwab
2023-07-17 18:17 ` Siddhesh Poyarekar
2023-07-20 18:05 ` Joseph Myers
2023-07-20 18:39 ` Andreas K. Huettel
2023-07-07 10:31 ` [ping][PATCH v2 0/4] Update default build configuration Siddhesh Poyarekar
2023-07-12 21:51 ` [ping2][PATCH " Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230629184156.2789945-4-siddhesh@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).