Add flags for non exec stack and read only GOT. (#2707)

rday · Risto Kankkunen · web-flow · commit 5f9fe428b7bd · 2021-04-05T19:58:04.000-07:00
Co-authored-by: Risto Kankkunen &lt;risto.kankkunen@f-secure.com&gt;
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -194,7 +194,11 @@ set(CMAKE_C_FLAGS_DEBUGOPT "")
 
 target_compile_options(${PROJECT_NAME} PRIVATE -pedantic -std=gnu99 -Wall -Werror -Wimplicit -Wunused -Wcomment -Wchar-subscripts
         -Wuninitialized -Wshadow -Wcast-qual -Wcast-align -Wwrite-strings -Wno-deprecated-declarations -Wno-unknown-pragmas -Wformat-security
-        -Wno-missing-braces -fvisibility=hidden -DS2N_EXPORTS)
+        -Wno-missing-braces -fvisibility=hidden -DS2N_EXPORTS
+        -Wa,--noexecstack
+)
+
+set(CMAKE_SHARED_LINKER_FLAGS -Wl,-z,noexecstack,-z,relro,-z,now)
 
 if(S2N_NO_PQ)
     target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_NO_PQ)
diff --git a/s2n.mk b/s2n.mk
@@ -50,6 +50,7 @@ DEFAULT_CFLAGS += -pedantic -Wall -Werror -Wimplicit -Wunused -Wcomment -Wchar-s
 
 COVERAGE_CFLAGS = -fprofile-arcs -ftest-coverage
 COVERAGE_LDFLAGS = --coverage
+LDFLAGS = -z relro -z now -z noexecstack
 
 FUZZ_CFLAGS = -fsanitize-coverage=trace-pc-guard -fsanitize=address,undefined,leak
 
