cmd/link: support full relro

Most Linux distributions today enable PIE and full RELRO on all binaries
to make exploitation harder. When buildmode=pie is used we enable full
relro as that is probably what most people want regardless.

This introduces a negligible startup time for binaries.

https://fedoraproject.org/wiki/Changes/Harden_All_Packages
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

Related #44480

Author: Foxboron

src/cmd/go/internal/work/security.go

@@ -206,7 +206,7 @@ var validLinkerFlags = []*lazyregexp.Regexp{
 	re(`-Wl,--(no-)?warn-([^,]+)`),
 	re(`-Wl,-?-wrap[=,][^,@\-][^,]*`),
 	re(`-Wl,-z,(no)?execstack`),
-	re(`-Wl,-z,relro`),
+	re(`-Wl,-z,relro(,-z,now)?`),
 
 	re(`[a-zA-Z0-9_/].*\.(a|o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
 	re(`\./.*\.(a|o|obj|dll|dylib|so)`),

src/cmd/go/internal/work/security_test.go

@@ -149,6 +149,8 @@ var goodLinkerFlags = [][]string{
 	{"-Wl,--just-symbols,foo"},
 	{"-Wl,--warn-error"},
 	{"-Wl,--no-warn-error"},
+	{"-Wl,-z,relro"},
+	{"-Wl,-z,relro,-z,now"},
 	{"foo.so"},
 	{"_世界.dll"},
 	{"./x.o"},
@@ -224,6 +226,7 @@ var badLinkerFlags = [][]string{
 	{"-Wl,-R,foo,bar"},
 	{"-Wl,-R,@foo"},
 	{"-Wl,--just-symbols,@foo"},
+	{"-Wl,-z,relro,-z,nottoday"},
 	{"../x.o"},
 }
 

src/cmd/link/doc.go

@@ -85,6 +85,8 @@ Flags:
 		instead of $GOROOT/pkg/$GOOS_$GOARCH.
 	-k symbol
 		Set field tracking symbol. Use this flag when GOEXPERIMENT=fieldtrack is set.
+	-l
+		Disable Full RELRO.
 	-libgcc file
 		Set name of compiler support library.
 		This is only used in internal link mode.

src/cmd/link/internal/ld/lib.go

@@ -1299,6 +1299,17 @@ func (ctxt *Link) hostlink() {
 		return argv
 	}
 
+	// Enables Full/Partial RELRO.
+	addRELROargs := func(argv []string) []string {
+		relro := "-Wl,-z,relro"
+		// Enable Full RELRO
+		if !*FlagL {
+			relro += ",-z,now"
+		}
+		argv = append(argv, relro)
+		return argv
+	}
+
 	switch ctxt.BuildMode {
 	case BuildModeExe:
 		if ctxt.HeadType == objabi.Hdarwin {
@@ -1315,7 +1326,7 @@ func (ctxt *Link) hostlink() {
 		default:
 			// ELF.
 			if ctxt.UseRelro() {
-				argv = append(argv, "-Wl,-z,relro")
+				argv = addRELROargs(argv)
 			}
 			argv = append(argv, "-pie")
 		}
@@ -1324,7 +1335,7 @@ func (ctxt *Link) hostlink() {
 			argv = append(argv, "-dynamiclib")
 		} else {
 			if ctxt.UseRelro() {
-				argv = append(argv, "-Wl,-z,relro")
+				argv = addRELROargs(argv)
 			}
 			argv = append(argv, "-shared")
 			if ctxt.HeadType == objabi.Hwindows {
@@ -1341,15 +1352,15 @@ func (ctxt *Link) hostlink() {
 		}
 	case BuildModeShared:
 		if ctxt.UseRelro() {
-			argv = append(argv, "-Wl,-z,relro")
+			argv = addRELROargs(argv)
 		}
 		argv = append(argv, "-shared")
 	case BuildModePlugin:
 		if ctxt.HeadType == objabi.Hdarwin {
 			argv = append(argv, "-dynamiclib")
 		} else {
 			if ctxt.UseRelro() {
-				argv = append(argv, "-Wl,-z,relro")
+				argv = addRELROargs(argv)
 			}
 			argv = append(argv, "-shared")
 		}

src/cmd/link/internal/ld/main.go

@@ -85,6 +85,7 @@ var (
 	flagN             = flag.Bool("n", false, "dump symbol table")
 	FlagS             = flag.Bool("s", false, "disable symbol table")
 	FlagW             = flag.Bool("w", false, "disable DWARF generation")
+	FlagL             = flag.Bool("l", false, "disable full RELRO")
 	flag8             bool // use 64-bit addresses in symbol table
 	flagInterpreter   = flag.String("I", "", "use `linker` as ELF dynamic linker")
 	FlagDebugTramp    = flag.Int("debugtramp", 0, "debug trampolines")