Closed raffaem closed 10 months ago
I'm trying to package the pre-compiled libraries for the AUR.
But namcap laments those files lack FULL RELRO:
➜ namcap sqlean-libs-0.21.8-1-x86_64.pkg.tar.zst sqlean-libs W: ELF file ('usr/lib/sqlean/crypto.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/define.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/fileio.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/fuzzy.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/ipaddr.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/math.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/regexp.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/sqlean.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/stats.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/text.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/unicode.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/uuid.so') lacks FULL RELRO, check LDFLAGS. sqlean-libs W: ELF file ('usr/lib/sqlean/vsv.so') lacks FULL RELRO, check LDFLAGS.
Which is confirmed by checksec:
➜ checksec --file=./src/crypto.so RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled DSO No RPATH No RUNPATH 127 Symbols Yes 1 ./src/crypto.so
I believe they should be compiled with -z,relro,-z,now gcc options. See for example: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
-z,relro,-z,now
I'm trying to package the pre-compiled libraries for the AUR.
But namcap laments those files lack FULL RELRO:
Which is confirmed by checksec:
I believe they should be compiled with
-z,relro,-z,nowgcc options. See for example: https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro