From: Unsung Lee <unsung.lee@samsung.com>
Date: Fri, 24 Nov 2023 12:41:42 +0000 (+0900)
Subject: Makefile: Add security compiling flags (RELRO)
X-Git-Tag: accepted/tizen/8.0/unified/20231128.175444~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5b607192609fd88469189dbd9fd40f9a8a6978a3;p=platform%2Fupstream%2Fnsjail.git

Makefile: Add security compiling flags (RELRO)

Add "-Wl,-z,relro" (Partial RELRO) in COMMON_FLAGS and LDFLAGS
to support RELRO (RELocation Read-Only).
It is used to defend against GOT-Overwrite attack by removeing write permission.

Change-Id: If15e159d5b2e5ad1a07e54098ac9051581881abe
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
---

diff --git a/Makefile b/Makefile
index cb22a93..6ce906c 100644
--- a/Makefile
+++ b/Makefile
@@ -29,11 +29,13 @@ COMMON_FLAGS += -O2 -c \
 	-fPIE \
 	-Wformat -Wformat-security -Wno-format-nonliteral \
 	-Wall -Wextra -Werror \
-	-Ikafel/include
+	-Ikafel/include \
+	-Wl,-z,relro
 
 CXXFLAGS += $(USER_DEFINES) $(COMMON_FLAGS) $(shell pkg-config --cflags protobuf) \
 	-std=c++11 -fno-exceptions -Wno-unused -Wno-unused-parameter
-LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
+LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf) \
+	   -Wl,-z,relro
 
 BIN = nsjail
 LIBS = kafel/libkafel.a