From 5b607192609fd88469189dbd9fd40f9a8a6978a3 Mon Sep 17 00:00:00 2001
From: Unsung Lee <unsung.lee@samsung.com>
Date: Fri, 24 Nov 2023 21:41:42 +0900
Subject: [PATCH] Makefile: Add security compiling flags (RELRO)

Add "-Wl,-z,relro" (Partial RELRO) in COMMON_FLAGS and LDFLAGS
to support RELRO (RELocation Read-Only).
It is used to defend against GOT-Overwrite attack by removeing write permission.

Change-Id: If15e159d5b2e5ad1a07e54098ac9051581881abe
Signed-off-by: Unsung Lee <unsung.lee@samsung.com>
---
 Makefile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index cb22a93..6ce906c 100644
--- a/Makefile
+++ b/Makefile
@@ -29,11 +29,13 @@ COMMON_FLAGS += -O2 -c \
 	-fPIE \
 	-Wformat -Wformat-security -Wno-format-nonliteral \
 	-Wall -Wextra -Werror \
-	-Ikafel/include
+	-Ikafel/include \
+	-Wl,-z,relro
 
 CXXFLAGS += $(USER_DEFINES) $(COMMON_FLAGS) $(shell pkg-config --cflags protobuf) \
 	-std=c++11 -fno-exceptions -Wno-unused -Wno-unused-parameter
-LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf)
+LDFLAGS += -pie -Wl,-z,noexecstack -lpthread $(shell pkg-config --libs protobuf) \
+	   -Wl,-z,relro
 
 BIN = nsjail
 LIBS = kafel/libkafel.a
-- 
2.7.4