Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.

Split Close
Expand all
Collapse all
          --- old/usr/src/man/man1/ld.1.man.txt
          +++ new/usr/src/man/man1/ld.1.man.txt
↓ open down ↓ 7 lines elided ↑ open up ↑
   8    8  SYNOPSIS
   9    9         ld [-32 | -64] [-a | -r] [-b] [-Bdirect | nodirect]
  10   10         [-B dynamic | static] [-B eliminate] [-B group] [-B local]
  11   11         [-B reduce] [-B symbolic] [-c name] [-C] [-d y | n]
  12   12         [-D token,...] [-e epsym] [-f name | -F name] [-G] [-h name]
  13   13         [-i] [-I name] [-l x] [-L path] [-m] [-M mapfile]
  14   14         [-N string] [-o outfile] [-p auditlib] [-P auditlib]
  15   15         [-Q y | n] [-R path] [-s] [-S supportlib] [-t]
  16   16         [-u symname] [-V] [-Y P,dirlist] [-z absexec]
  17   17         [-z allextract | defaultextract | weakextract ] [-z altexec64]
  18      -       [-z assert-deflib ] [ -z assert-deflib=libname ]
       18 +       [-z aslr[=state]] [-z assert-deflib] [ -z assert-deflib=libname]
  19   19         [-z combreloc | nocombreloc ] [-z defs | nodefs]
  20   20         [-z direct | nodirect] [-z endfiltee]
  21   21         [-z fatal-warnings | nofatal-warnings ] [-z finiarray=function]
  22   22         [-z globalaudit] [-z groupperm | nogroupperm]
  23   23         [-z guidance[=id1,id2...] [-z help ]
  24   24         [-z ignore | record] [-z initarray=function] [-z initfirst]
  25   25         [-z interpose] [-z lazyload | nolazyload]
  26   26         [-z ld32=arg1,arg2,...] [-z ld64=arg1,arg2,...]
  27   27         [-z loadfltr] [-z muldefs] [-z nocompstrtab] [-z nodefaultlib]
  28   28         [-z nodelete] [-z nodlopen] [-z nodump] [-z noldynsym]
↓ open down ↓ 560 lines elided ↑ open up ↑
 589  589         -z altexec64
 590  590  
 591  591             Execute the 64-bit ld. The creation of very large 32-bit objects
 592  592             can exhaust the virtual memory that is available to the 32-bit ld.
 593  593             The -z altexec64 option can be used to force the use of the
 594  594             associated 64-bit ld. The 64-bit ld provides a larger virtual
 595  595             address space for building 32-bit objects. See The 32-bit link-
 596  596             editor and 64-bit link-editor in Linker and Libraries Guide.
 597  597  
 598  598  
      599 +       -z aslr[=state]
      600 +
      601 +           Specify whether the executable's address space should be randomized
      602 +           on execution.  If state is "enabled" randomization will always
      603 +           occur when this executable is run (regardless of inherited
      604 +           settings).  If state is "disabled" randomization will never occur
      605 +           when this executable is run.  If state is omitted, ASLR is enabled.
      606 +
      607 +           An executable that should simply use the settings inherited from
      608 +           its environment should not use this flag at all.
      609 +
      610 +
 599  611         -z combreloc | nocombreloc
 600  612  
 601  613             By default, ld combines multiple relocation sections when building
 602  614             executables or shared objects. This section combination differs
 603  615             from relocatable objects, in which relocation sections are
 604  616             maintained in a one-to-one relationship with the sections to which
 605  617             the relocations must be applied. The -z nocombreloc option disables
 606  618             this merging of relocation sections, and preserves the one-to-one
 607  619             relationship found in the original relocatable objects.
 608  620  
↓ open down ↓ 694 lines elided ↑ open up ↑
1303 1315         system. Previously, all links would remain intact, with all links
1304 1316         accessing the new file contents. The new ld behavior breaks such links,
1305 1317         with the result that only the specified output file name references the
1306 1318         new file. All the other links continue to reference the old file. To
1307 1319         ensure consistent behavior, applications that rely on multiple hard
1308 1320         links to linker output files should explicitly remove and relink the
1309 1321         other file names.
1310 1322  
1311 1323  
1312 1324  
1313      -                              September 10, 2013                         LD(1)
     1325 +                                 June 6, 2016                            LD(1)
    
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX