Description: Add disable opposites to the security-related flags Author: Stephen Kitt This patch adds "no-" variants to disable the various security flags: "no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section". --- a/ld/emultempl/pe.em +++ b/ld/emultempl/pe.em @@ -259,9 +261,11 @@ (OPTION_ENABLE_LONG_SECTION_NAMES + 1) /* DLLCharacteristics flags. */ #define OPTION_DYNAMIC_BASE (OPTION_DISABLE_LONG_SECTION_NAMES + 1) -#define OPTION_FORCE_INTEGRITY (OPTION_DYNAMIC_BASE + 1) +#define OPTION_NO_DYNAMIC_BASE (OPTION_DYNAMIC_BASE + 1) +#define OPTION_FORCE_INTEGRITY (OPTION_NO_DYNAMIC_BASE + 1) #define OPTION_NX_COMPAT (OPTION_FORCE_INTEGRITY + 1) -#define OPTION_NO_ISOLATION (OPTION_NX_COMPAT + 1) +#define OPTION_NO_NX_COMPAT (OPTION_NX_COMPAT + 1) +#define OPTION_NO_ISOLATION (OPTION_NO_NX_COMPAT + 1) #define OPTION_NO_SEH (OPTION_NO_ISOLATION + 1) #define OPTION_NO_BIND (OPTION_NO_SEH + 1) #define OPTION_WDM_DRIVER (OPTION_NO_BIND + 1) @@ -271,6 +275,7 @@ #define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1) #define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1) #define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1) +#define OPTION_DISABLE_RELOC_SECTION (OPTION_ENABLE_RELOC_SECTION + 1) static void gld${EMULATION_NAME}_add_options @@ -342,8 +347,10 @@ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES}, {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES}, {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE}, + {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE}, {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY}, {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT}, + {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT}, {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION}, {"no-seh", no_argument, NULL, OPTION_NO_SEH}, {"no-bind", no_argument, NULL, OPTION_NO_BIND}, @@ -351,6 +358,7 @@ {"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE}, {"build-id", optional_argument, NULL, OPTION_BUILD_ID}, {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION}, + {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION}, {NULL, no_argument, NULL, 0} }; @@ -485,9 +494,12 @@ in object files\n")); fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\ address space layout randomization (ASLR)\n")); + fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n")); fprintf (file, _(" --enable-reloc-section Create the base relocation table\n")); + fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n")); fprintf (file, _(" --forceinteg Code integrity checks are enforced\n")); fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n")); + fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n")); fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n")); fprintf (file, _(" --no-seh Image does not use SEH. No SE handler may\n\ be called in this image\n")); @@ -862,12 +874,21 @@ case OPTION_ENABLE_RELOC_SECTION: pe_dll_enable_reloc_section = 1; break; + case OPTION_DISABLE_RELOC_SECTION: + pe_dll_enable_reloc_section = 0; + /* fall through */ + case OPTION_NO_DYNAMIC_BASE: + pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE; + break; case OPTION_FORCE_INTEGRITY: pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY; break; case OPTION_NX_COMPAT: pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT; break; + case OPTION_NO_NX_COMPAT: + pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT; + break; case OPTION_NO_ISOLATION: pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION; break; --- a/ld/emultempl/pep.em +++ b/ld/emultempl/pep.em @@ -237,9 +240,12 @@ OPTION_ENABLE_LONG_SECTION_NAMES, OPTION_DISABLE_LONG_SECTION_NAMES, OPTION_HIGH_ENTROPY_VA, + OPTION_NO_HIGH_ENTROPY_VA, OPTION_DYNAMIC_BASE, + OPTION_NO_DYNAMIC_BASE, OPTION_FORCE_INTEGRITY, OPTION_NX_COMPAT, + OPTION_NO_NX_COMPAT, OPTION_NO_ISOLATION, OPTION_NO_SEH, OPTION_NO_BIND, @@ -248,7 +254,8 @@ OPTION_NO_INSERT_TIMESTAMP, OPTION_TERMINAL_SERVER_AWARE, OPTION_BUILD_ID, - OPTION_ENABLE_RELOC_SECTION + OPTION_ENABLE_RELOC_SECTION, + OPTION_DISABLE_RELOC_SECTION }; static void @@ -315,9 +322,12 @@ {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES}, {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES}, {"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA}, + {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA}, {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE}, + {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE}, {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY}, {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT}, + {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT}, {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION}, {"no-seh", no_argument, NULL, OPTION_NO_SEH}, {"no-bind", no_argument, NULL, OPTION_NO_BIND}, @@ -327,6 +337,7 @@ {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP}, {"build-id", optional_argument, NULL, OPTION_BUILD_ID}, {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION}, + {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION}, {NULL, no_argument, NULL, 0} }; @@ -448,11 +461,15 @@ in object files\n")); fprintf (file, _(" --high-entropy-va Image is compatible with 64-bit address space\n\ layout randomization (ASLR)\n")); + fprintf (file, _(" --no-high-entropy-va Image is not compatible with 64-bit ASLR\n")); fprintf (file, _(" --dynamicbase Image base address may be relocated using\n\ address space layout randomization (ASLR)\n")); + fprintf (file, _(" --no-dynamicbase Image base address may not be relocated\n")); fprintf (file, _(" --enable-reloc-section Create the base relocation table\n")); + fprintf (file, _(" --disable-reloc-section Disable the base relocation table\n")); fprintf (file, _(" --forceinteg Code integrity checks are enforced\n")); fprintf (file, _(" --nxcompat Image is compatible with data execution prevention\n")); + fprintf (file, _(" --no-nxcompat Image is not compatible with data execution prevention\n")); fprintf (file, _(" --no-isolation Image understands isolation but do not isolate the image\n")); fprintf (file, _(" --no-seh Image does not use SEH; no SE handler may\n\ be called in this image\n")); @@ -809,12 +826,24 @@ case OPTION_ENABLE_RELOC_SECTION: pep_dll_enable_reloc_section = 1; break; + case OPTION_DISABLE_RELOC_SECTION: + pep_dll_enable_reloc_section = 0; + /* fall through */ + case OPTION_NO_DYNAMIC_BASE: + pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE; + /* fall through */ + case OPTION_NO_HIGH_ENTROPY_VA: + pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA; + break; case OPTION_FORCE_INTEGRITY: pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY; break; case OPTION_NX_COMPAT: pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT; break; + case OPTION_NO_NX_COMPAT: + pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT; + break; case OPTION_NO_ISOLATION: pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION; break;