From fac0bbe739154abb416526bdc983487c05ba0c81 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Tue, 31 Aug 2021 16:08:11 +0200 Subject: [PATCH] Build: Pass "-z separate-code" to linker This tells the linker to not combine read-only data and executable code, instead favoring multiple PT_LOAD headers with more precise permissions. This greatly reduces the amount of executable pages in all our programs and libraries. /usr/lib/libjs.so before: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0x2fc77c 0x2fc77c R E 0x1000 LOAD 0x2fc900 0x002fd900 0x002fd900 0x0c708 0x0dd1c RW 0x1000 /usr/lib/libjs.so after: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0x80e60 0x80e60 R 0x1000 LOAD 0x081000 0x00081000 0x00081000 0x25f6c9 0x25f6c9 R E 0x1000 LOAD 0x2e1000 0x002e1000 0x002e1000 0x1c27c 0x1c27c R 0x1000 LOAD 0x2fd900 0x002fe900 0x002fe900 0x0c708 0x0dd1c RW 0x1000 As you can see, we go from 0x2fc77c bytes of executable memory down to 0x25f6c9 (a ~20% reduction!) The memory that was previous executable is now simply read-only instead. :^) --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 17e982b1771..ef91256ede3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -217,8 +217,8 @@ endforeach() set(CMAKE_INSTALL_NAME_TOOL "") set(CMAKE_SHARED_LIBRARY_SUFFIX ".so") -set(CMAKE_SHARED_LIBRARY_CREATE_CXX_FLAGS "-shared -Wl,--hash-style=gnu,-z,relro,-z,now,-z,noexecstack") -set(CMAKE_CXX_LINK_FLAGS "-Wl,--hash-style=gnu,-z,relro,-z,now,-z,noexecstack,-z,max-page-size=0x1000") +set(CMAKE_SHARED_LIBRARY_CREATE_CXX_FLAGS "-shared -Wl,--hash-style=gnu,-z,relro,-z,now,-z,noexecstack,-z,separate-code") +set(CMAKE_CXX_LINK_FLAGS "-Wl,--hash-style=gnu,-z,relro,-z,now,-z,noexecstack,-z,max-page-size=0x1000,-z,separate-code") # We disable it completely because it makes cmake very spammy. # This will need to be revisited when the Loader supports RPATH/RUN_PATH.