Full/Partial RELRO
Not so much of a bug as a suggestion for better security. I noticed you compile all of the binaries with Canary, Stack Protection, PIE, etc but RELRO (full or partial) is not used. Any reason for this?
There’s a good write up on RELRO over at http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html
Would be happy to talk to some of your people about it, just a suggestion that I think would make Alpine even more secure. Keep up the good work :-)
Blake Self
(from redmine: issue id 2614, created on 2014-01-26, closed on 2014-07-16)
- Changesets:
- Revision e89835b7 by Timo Teräs on 2014-03-25T10:03:38Z:
main/gcc: enable relro by default
ref #2614
- Revision 029c13c8 by Timo Teräs on 2014-03-25T13:30:41Z:
main/musl: add relro support
ref #2614
- Revision 82be8474 by Timo Teräs on 2014-03-26T07:24:32Z:
main/musl: apply changes from upstream git
* remove the upstreamed confstr patch
* remove relro patch which got fixed and upstreamed, ref #2614
(the old version did not relro protect libc.so itself)
* workaround for gcc pr58245 is no longer needed as thread pointer
is always initialized and the lazy ssp init is removed