Makefile: Add security compiling flags (RELRO)

Add "-Wl,-z,relro" (Partial RELRO) in COMMON_FLAGS and LDFLAGS
to support RELRO (RELocation Read-Only).
It is used to defend against GOT-Overwrite attack by removeing write permission.

Change-Id: If15e159d5b2e5ad1a07e54098ac9051581881abe
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>

diff --git a/Makefile b/Makefile
index cb22a93..6ce906c 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -29,11 +29,13 @@ COMMON_FLAGS += -O2 -c \
        -fPIE \
        -Wformat -Wformat-security -Wno-format-nonliteral \
        -Wall -Wextra -Werror \
-       -Ikafel/include
+       -Ikafel/include \
+       -Wl,-z,relro
 
 CXXFLAGS += $(USER_DEFINES) $(COMMON_FLAGS) $(shell pkg-config --cflags protobuf) \
        -std=c++11 -fno-exceptions -Wno-unused -Wno-unused-parameter
-LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
+LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf) \
+          -Wl,-z,relro
 
 BIN = nsjail
 LIBS = kafel/libkafel.a