Pchen0/electron

chore: enable BIND_NOW when compiling Linux builds

We've hardened Linux builds by enabling PIE and RELRO,
and should continue to try hardening Linux builds by
enabling BIND_NOW. With both RELRO and BIND_NOW enabled,
we can stop all GOT overwrite attacks. The same hardening
option has been enabled in official Chrome/Chromium
builds since more than five years ago.

This helps to improve the security of a whole range of
applications built upon Electron, including sensetive ones
such as Signal-Desktop.

Signed-off-by: Tom Li <[email protected]>

#DeleteGithub 6 years ago

parent

2f2761fa47

commit

9f1e674f30

1 changed files with 2 additions and 0 deletions

Split View Show Diff Stats

						
							+ 2
							
							- 0
						
electron.gyp
							 
								View File
							
				@@ -239,6 +239,8 @@
			
				             'ldflags': [
			
				               # Build as Position-Independent Executable to mitigate exploitations.
			
				               '-pie',
			
				+              # Enable BIND_NOW to prevent GOT overwrite attacks.
			
				+              '-Wl,-z,now',
			
				             ],
			
				           },
			
				           'cflags_cc': [

chore: enable BIND_NOW when compiling Linux builds

+ 2 - 0 electron.gyp View File

+ 2 - 0
electron.gyp
View File