Add --enable-memory-sealing configure options

It allows all libraries, programs, and the testsuite in glibc to be built with memory sealing if the toochain supports it. The default mode is to disable it. Checked on aarch64-linux-gnu and x86_64-linux-gnu.
2024-12-06 14:37:55 -03:00 · 2024-12-06 14:37:55 -03:00 · 7fec24327c
parent 804c23c942
commit 7fec24327c
8 changed files with 124 additions and 6 deletions
--- a/6
+++ b/6
@ -251,6 +251,12 @@ passed to 'configure'.  For example:
     Disable using 'scv' instruction for syscalls.  All syscalls will
     use 'sc' instead, even if the kernel supports 'scv'.  PowerPC only.

+'--enable-memory-sealing'
+     Build glibc libraries, programs, and the testsuite with memory
+     sealing support (GNU_PROPERTY_MEMORY_SEAL).  It does not disable
+     support for memory sealing, which will still be applied if the
+     program has the attribute.
+
 '--build=BUILD-SYSTEM'
 '--host=HOST-SYSTEM'
     These options are for cross-compiling.  If you specify both options
--- a/19
+++ b/19
@ -389,6 +389,21 @@ dt-relr-ldflag =
 no-dt-relr-ldflag =
 endif

+# Linker options to enable and disable memory sealing (GNU_PROPERTY_MEMORY_SEAL),
+# if --enable--memory-sealing is used explicit enable memory sealing for the case
+# the linker defaults to it.
+ifeq ($(have-z-memory-seal),yes)
+no-memory-seal-ldflag = -Wl,-z,nomemory-seal
+ifeq ($(enable-memory-seal),yes)
+memory-seal-ldflag = -Wl,-z,memory-seal
+else
+memory-seal-ldflag = $(no-memory-seal-ldflag)
+endif
+else
+memory-seal-ldflag =
+no-memory-seal-ldflag =
+endif
+
 ifeq (no,$(build-pie-default))
 pie-default = $(no-pie-ccflag)
 else # build-pie-default
@ -433,6 +448,7 @@ link-extra-libs-tests = $(libsupport)
 ifndef +link-pie
 +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \
 	     $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	     $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	     -Wl,-O1 -nostdlib -nostartfiles \
 	     $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
 	     $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
@ -466,6 +482,7 @@ ifndef +link-static
 +link-static-before-inputs = -nostdlib -nostartfiles -static \
 	      $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \
 	      $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(static-pie-dt-relr-ldflag)) \
+	      $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F))  \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \
 	      $(+preinit) $(+prectorT)
@ -542,7 +559,7 @@ endif  # +link
 # Command for linking test programs with crt1.o from glibc 2.0.
 +link-2.0-before-inputs = -nostdlib -nostartfiles $(no-pie-ldflag) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
-	      $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+	      $(relro-LDFLAGS) $(memory-seal-ldflag) $(hashstyle-LDFLAGS) \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(start-name-2.0)) \
 	      $(+preinit) $(+prector)
 +link-2.0-before-libc = -o $@ $(+link-2.0-before-inputs) \
--- a/2
+++ b/2
@ -544,6 +544,7 @@ define build-shlib-helper
 $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \
 	  $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \
 	  -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \
@ -560,6 +561,7 @@ define build-module-helper
 $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  -B$(csu-objpfx) $(load-map-file) \
 	  $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \
 	  $(link-test-modules-rpath-link) \
--- a/3
+++ b/3
@ -23,6 +23,9 @@ Major new features:
  memory sealing will not be applied for its dependencies (and even if the
  objects has the memory sealing attribute).

+* A new configure option, "--enable-memory-sealing", can be used to build
+  the GNU C Library libraries and programs with memory sealing.
+
 Deprecated and removed features, and other changes affecting compatibility:

  [Add deprecations, removals and changes affecting compatibility here]
--- a/57
+++ b/57
@ -820,6 +820,7 @@ enable_mathvec
 enable_cet
 enable_scv
 enable_fortify_source
+enable_memory_sealing
 with_cpu
 '
      ac_precious_vars='build_alias
@ -1505,6 +1506,8 @@ Optional Features:
                          Use -D_FORTIFY_SOURCE=[1|2|3] to control code
                          hardening, defaults to highest possible value
                          supported by the build compiler.
+  --enable-memory-sealing Build glibc libraries, programs, and the testsuite
+                          with memory sealing [default=no]

 Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@ -4883,6 +4886,16 @@ case "$enable_fortify_source" in
 *) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;;
 esac

+# Check whether --enable-memory-sealing was given.
+if test ${enable_memory_sealing+y}
+then :
+  enableval=$enable_memory_sealing; enable_memory_sealing=$enableval
+else case e in #(
+  e) enable_memory_sealing=no ;;
+esac
+fi
+
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@ -7410,6 +7423,49 @@ printf "%s\n" "$libc_cv_fpie" >&6; }



+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for linker that supports -z memory-seal" >&5
+printf %s "checking for linker that supports -z memory-seal... " >&6; }
+libc_linker_feature=no
+cat > conftest.c <<EOF
+int _start (void) { return 42; }
+EOF
+if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
+		  -Wl,-z,memory-seal -nostdlib -nostartfiles
+		  -fPIC -shared -o conftest.so conftest.c
+		  1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }
+then
+  if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -Wl,-z,memory-seal -nostdlib \
+      -nostartfiles -fPIC -shared -o conftest.so conftest.c 2>&1 \
+      | grep "warning: -z memory-seal ignored" > /dev/null 2>&1; then
+    true
+  else
+    libc_linker_feature=yes
+  fi
+fi
+rm -f conftest*
+if test $libc_linker_feature = yes; then
+  libc_cv_z_memory_seal=yes
+else
+  libc_cv_z_memory_seal=no
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libc_linker_feature" >&5
+printf "%s\n" "$libc_linker_feature" >&6; }
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+config_vars="$config_vars
+have-z-memory-seal = $libc_cv_z_memory_seal"
+config_vars="$config_vars
+enable-memory-seal = $enable_memory_sealing"
+
+
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5
 printf %s "checking for GLOB_DAT reloc... " >&6; }
 if test ${libc_cv_has_glob_dat+y}
@ -8945,7 +9001,6 @@ load-address-ldflag = $libc_cv_load_address_ldflag"

 # Check if compilers support GCS in branch protection:

-
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler supports -mbranch-protection=gcs" >&5
 printf %s "checking if compiler supports -mbranch-protection=gcs... " >&6; }
 if test ${libc_cv_cc_gcs+y}
--- a/configure.ac
+++ b/configure.ac
@ -440,6 +440,12 @@ case "$enable_fortify_source" in
 *) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);;
 esac

+AC_ARG_ENABLE([memory-sealing],
+	      AS_HELP_STRING([--enable-memory-sealing],
+			     [Build glibc libraries, programs, and the testsuite with memory sealing @<:@default=no@:>@]),
+	      [enable_memory_sealing=$enableval],
+	      [enable_memory_sealing=no])
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@ -1360,6 +1366,19 @@ LIBC_TRY_CC_OPTION([-fpie], [libc_cv_fpie=yes], [libc_cv_fpie=no])

 AC_SUBST(libc_cv_fpie)

+LIBC_LINKER_FEATURE([-z memory-seal],
+		    [-Wl,-z,memory-seal],
+		    [libc_cv_z_memory_seal=yes],
+		    [libc_cv_z_memory_seal=no])
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+LIBC_CONFIG_VAR([have-z-memory-seal], [$libc_cv_z_memory_seal])
+LIBC_CONFIG_VAR([enable-memory-seal], [$enable_memory_sealing])
+
+
 AC_CACHE_CHECK(for GLOB_DAT reloc,
 	       libc_cv_has_glob_dat, [dnl
 cat > conftest.c <<EOF
--- a/elf/Makefile
+++ b/elf/Makefile
@ -1502,6 +1502,7 @@ $(objpfx)ld.so: $(objpfx)librtld.os $(ld-map)
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@.new		\
 		  $(LDFLAGS-rtld) -Wl,-z,defs $(z-now-$(bind-now))	\
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  $(filter-out $(map-file),$^) $(load-map-file)		\
 		  -Wl,-soname=$(rtld-installed-name)
 	$(call after-link,$@.new)
@ -1842,6 +1843,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so
 $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
 	$(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  -L$(subst :, -L,$(rpath-link)) \
 		  -Wl,-rpath-link=$(rpath-link) \
 		  $< -Wl,-F,$(objpfx)filtmod2.so
@ -2466,6 +2468,7 @@ $(objpfx)tst-audit17.out: $(objpfx)tst-auditmod17.so
 # intended, so it uses an explicit link rule.
 $(objpfx)tst-auditmod17.so: $(objpfx)tst-auditmod17.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new \
+	$(memory-seal-ldflag) \
 	$(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@ -2526,12 +2529,13 @@ $(objpfx)tst-audit24bmod1: $(objpfx)tst-audit24bmod2.so
 # against libc.so.
 $(objpfx)tst-audit24bmod1.so: $(objpfx)tst-audit24bmod1.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod1.os \
-	  -Wl,-z,now
+	  -Wl,-z,now $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod1)
 $(objpfx)tst-audit24bmod2.so: $(objpfx)tst-audit24bmod2.os
-	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os
+	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os \
+	  $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod2)
@ -2691,7 +2695,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
 # artificial, large note in tst-big-note-lib.o and invalidate the
 # test.
 $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o
-	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $<
+	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $(memory-seal-ldflag) $<

 $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so

@ -2998,6 +3002,7 @@ $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \
  tst-ro-dynamic-mod.map
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@ \
 		$(dt-relr-ldflag) \
+		$(memory-seal-ldflag) \
 		-Wl,--script=tst-ro-dynamic-mod.map \
 		$(objpfx)tst-ro-dynamic-mod.os

@ -3088,6 +3093,7 @@ $(objpfx)tst-relr2: $(objpfx)tst-relr-mod2.so
 $(objpfx)tst-relr-mod2.so: $(objpfx)tst-relr-mod2.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@ -3098,6 +3104,7 @@ $(objpfx)tst-relr3: $(objpfx)tst-relr-mod3a.so
 $(objpfx)tst-relr-mod3b.so: $(objpfx)tst-relr-mod3b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@ -3106,6 +3113,7 @@ $(objpfx)tst-relr-mod3a.so: $(objpfx)tst-relr-mod3a.os \
  $(objpfx)tst-relr-mod3b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@ -3116,6 +3124,7 @@ $(objpfx)tst-relr4: $(objpfx)tst-relr-mod4a.so
 $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-Wl,--version-script=tst-relr-mod4b.map \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@ -3124,6 +3133,7 @@ $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 $(objpfx)tst-relr-mod4a.so: $(objpfx)tst-relr-mod4a.os \
  $(objpfx)tst-relr-mod4b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
+	$(memory-seal-ldflag) \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@ -3248,7 +3258,7 @@ $(objpfx)tst-env-setuid-static.out: $(objpfx)tst-sonamemove-runmod1.so
 # We do not use $(link-test-modules-rpath-link) since the object has no
 # DT_NEEDED.
 $(objpfx)tst-nodeps1-mod.so: $(objpfx)tst-nodeps1-mod.os
-	$(LINK.o) -nostartfiles -nostdlib -shared -o $@ $^
+	$(LINK.o) -nostartfiles -nostdlib -shared $(memory-seal-ldflag) -o $@ $^
 tst-nodeps1.so-no-z-defs = yes
 # Link libc.so before the test module with the IFUNC resolver reference.
 LDFLAGS-tst-nodeps1 = $(common-objpfx)libc.so $(objpfx)tst-nodeps1-mod.so
@ -3400,6 +3410,7 @@ CFLAGS-tst-nolink-libc.c += $(no-stack-protector) \
 -fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables
 $(objpfx)tst-nolink-libc-1: $(objpfx)tst-nolink-libc.o $(objpfx)ld.so
 	$(LINK.o) -nostdlib -nostartfiles -o $@ $< \
+	  $(memory-seal-ldflag) \
 	  -Wl,--dynamic-linker=$(objpfx)ld.so,--no-as-needed $(objpfx)ld.so
 $(objpfx)tst-nolink-libc-1.out: $(objpfx)tst-nolink-libc-1 $(objpfx)ld.so
 	$< > $@ 2>&1; $(evaluate-test)
--- a/manual/install.texi
+++ b/manual/install.texi
@ -280,6 +280,11 @@ C++ libraries.
 Disable using @code{scv} instruction for syscalls. All syscalls will use
@code{sc} instead, even if the kernel supports @code{scv}. PowerPC only.

+@item --disable-default-memory-seal
+Don't build glibc libraries, programs, and the testsuite with
+memory sealing support (@code{GNU_PROPERTY_MEMORY_SEAL}).  By default,
+memory sealing is enabled if toolchain suports the linker option.
+
@item --build=@var{build-system}
@itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and