= Proposed System Wide Change: Build non-RELRO ELF binaries with .plt.got isolation = https://fedoraproject.org/wiki/Changes/.plt.got_Isolation Owner(s): * Florian Weimer <fweimer at redhat dot com> Fedora 23 enabled hardening for all packages. However, some ELF binaries still use lazy binding. This change proposes additional hardening for them. == Detailed description == With the RELRO and BIND_NOW dynamic linker features, it is possible to make the array of function pointers which is used to implement dynamic linking (the GOT) read-only at run time. This makes it harder for exploit writers to overwrite these function pointers and redirect execution. However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding. This change proposes to link ELF binaries in such a way that the <code>.plt.got</code> section is loaded as a separated page at run time. As a result, it is possible to use a kernel feature called [http://man7.org/linux/man-pages/man7/pkeys.7.html memory protection keys] to make the GOT with its function pointer array read-only most of the time. When the dynamic linker needs to perform a function symbol binding, it can make the GOT temporarily writable, for the current thread only. Memory protection keys are currently available with the POWER architecture (starting with POWER7), and on select Intel server CPUs. At this time, only a subset of Fedora systems will benefit from this hardening, so the recommendation to link with RELRO/BIND_NOW remains. == Scope == * Proposal owners: ** We will work with the binutils maintainer to implement this change in the linker, and enable it by default. (RELRO/BIND_NOW will automatically disable it because it is not needed there.) ** The glibc dynamic linker will be updated to use this new feature. This feature will likely arrive after the glibc 2.28 upstream release, but it can be backported to Fedora because there is no ABI impact. * Other developers: In the unlikely case that an application relies on GOT patching, it will have to specify a linker flag to disable this security hardening. * Release engineering: https://pagure.io/releng/issue/7575 #7575 (no release engineering impact is expected) ** List of deliverables: N/A (not a System Wide Change) * Policies and guidelines: The packaging guidelines regarding build flags will not be updated. RELRO/BIND_NOW remains the recommended approach. * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík JBoss EAP Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/T2MQGAMHWEMYTN6JHCAD3YTXB5S4ZVJM/