aboutsummaryrefslogtreecommitdiff
path: root/contrib/guix
diff options
context:
space:
mode:
authorfanquake <fanquake@gmail.com>2022-06-27 11:25:07 +0100
committerfanquake <fanquake@gmail.com>2022-07-28 14:30:38 +0100
commitaa87879a7707d24931132c23eb94461f9f86240b (patch)
tree3a2bb1d954d42380162330121c95cddc1fca6f8c /contrib/guix
parent3897a131d022c29301809c3d6edfcb46e100dc21 (diff)
guix: pass enable-bind-now to glibc
Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
Diffstat (limited to 'contrib/guix')
-rw-r--r--contrib/guix/manifest.scm8
1 files changed, 6 insertions, 2 deletions
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index cd69f9bf0e..1f3ab9ae65 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -136,7 +136,7 @@ chain for " target " development."))
#:key
(base-gcc-for-libc base-gcc)
(base-kernel-headers base-linux-kernel-headers)
- (base-libc (make-glibc-without-werror glibc-2.24))
+ (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24)))
(base-gcc (make-gcc-rpath-link base-gcc)))
"Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
desirable for building Bitcoin Core release binaries."
@@ -523,6 +523,9 @@ inspecting signatures in Mach-O binaries.")
(define (make-glibc-with-stack-protector glibc)
(package-with-extra-configure-variable glibc "--enable-stack-protector" "all"))
+(define (make-glibc-with-bind-now glibc)
+ (package-with-extra-configure-variable glibc "--enable-bind-now" "yes"))
+
(define-public glibc-2.24
(package
(inherit glibc-2.31)
@@ -610,7 +613,8 @@ inspecting signatures in Mach-O binaries.")
((string-contains target "-linux-")
(list (cond ((string-contains target "riscv64-")
(make-bitcoin-cross-toolchain target
- #:base-libc (make-glibc-with-stack-protector (make-glibc-without-werror glibc-2.27/bitcoin-patched))))
+ #:base-libc (make-glibc-with-stack-protector
+ (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.27/bitcoin-patched)))))
(else
(make-bitcoin-cross-toolchain target)))))
((string-contains target "darwin")