diff mbox

Document that --enable-static-pie implies PIE

Message ID CAMe9rOqsReMyxFagnE=ApiWUvZHtOT17LXS-_e4N6BT-ycPkPA@mail.gmail.com
State New, archived
Headers show

Commit Message

H.J. Lu Dec. 19, 2017, 9:24 p.m. UTC
On Tue, Dec 19, 2017 at 12:46 PM, Jonathan Nieder <jrnieder@gmail.com> wrote:
> H.J. Lu wrote:
>> On Tue, Dec 19, 2017 at 11:35 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:
>
>>> When the new text says that dynamic PIE is created by default, what does
>>> that mean?  Does it mean that my executables will automatically act as
>>> though I passed -fPIE by default when I link them or that support for
>>> -fPIE will be included in glibc?  If the latter, is it saying that such
>>> support will be included in the glibc distribution by default but that I
>>> can turn it off?  i.e. what is the option to unset this default, or what
>>> would be the option to turn it on if I don't --enable-static-pie?
>>
>> How about
>>
>> This option also implies that glibc programs and tests are created as
>> dynamic position independent executable (PIE) by default.
>
> With s/executable/executables/, LGTM.

This is the patch I am checking in.

>>> Unrelated: while I'm reading this text
>>>
>>>>  Static PIE is similar to static executable,
>>>
>>> This is missing an article.
> [...]
>> Can you submit a separate patch?
>
> Sure thing.  Will try to find time to send one tonight.
>

Thanks.

Comments

Jonathan Nieder Dec. 19, 2017, 9:43 p.m. UTC | #1
H.J. Lu wrote:

> This is the patch I am checking in.

Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Thanks.
diff mbox

Patch

From b3439b169b3e7740b2ade1083313574ffb616f82 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Tue, 19 Dec 2017 10:47:10 -0800
Subject: [PATCH] Document that --enable-static-pie implies PIE

To build static PIE, all .o files are compiled with -fPIE.  Since
--enable-static-pie is designed to provide additional security hardening
benefits, it also implies that glibc programs and tests are created as
dynamic position independent executables (PIE) by default for better
security hardening.

	* manual/install.texi: Document that --enable-static-pie
	implies PIE.
	* INSTALL: Regenerated.
---
 INSTALL             | 4 +++-
 manual/install.texi | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/INSTALL b/INSTALL
index 9a1404bd3c..42508e69dc 100644
--- a/INSTALL
+++ b/INSTALL
@@ -93,7 +93,9 @@  will be used, and CFLAGS sets optimization options for the compiler.
      programs as well as static tests are built as static PIE, except
      for those marked with no-pie.  The resulting glibc can be used with
      the GCC option, -static-pie, which is available with GCC 8 or
-     above, to create static PIE.
+     above, to create static PIE. This option also implies that glibc
+     programs and tests are created as dynamic position independent
+     executables (PIE) by default.
 
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
diff --git a/manual/install.texi b/manual/install.texi
index fb956b5d6a..50e6c35050 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -123,7 +123,8 @@  address without help from a dynamic linker.  All static programs as
 well as static tests are built as static PIE, except for those marked
 with no-pie.  The resulting glibc can be used with the GCC option,
 -static-pie, which is available with GCC 8 or above, to create static
-PIE.
+PIE.  This option also implies that glibc programs and tests are created
+as dynamic position independent executables (PIE) by default.
 
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use
-- 
2.14.3