Extend BIND_NOW to installed programs with --enable-bind-now

Commit 2d6ab5df3b ("Document and fix
--enable-bind-now [BZ #21015]") extended BIND_NOW to all installed
shared objects.  This change also covers installed programs.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

ChangeLog

@@ -1,3 +1,14 @@
+2019-04-25  Florian Weimer  <fweimer@redhat.com>
+
+	Also enable BIND_NOW for programs if --enable-bind-now.
+	* Makeconfig [$(bind-now)] (link-extra-flags): Add -Wl,-z,now.
+	(+link-pie): Use $(link-extra-flags).
+	(+link-static): Likewise.
+	[! $(build-pie-default)] (+link): Likewise.
+	* manual/install.texi (Configuring and compiling): Update
+	--enable-bind-now description.
+	* INSTALL: Regenerated.
+
 2019-04-24  Wilco Dijkstra  <wdijkstr@arm.com>
 
 	* benchtests/Makefile (BENCH_DURATION): Set to 1 second.

INSTALL

@@ -176,10 +176,10 @@ if 'CFLAGS' is specified it must enable optimization.  For example:
      protection.
 
 '--enable-bind-now'
-     Disable lazy binding for installed shared objects.  This provides
-     additional security hardening because it enables full RELRO and a
-     read-only global offset table (GOT), at the cost of slightly
-     increased program load times.
+     Disable lazy binding for installed shared objects and programs.
+     This provides additional security hardening because it enables full
+     RELRO and a read-only global offset table (GOT), at the cost of
+     slightly increased program load times.
 
 '--enable-pt_chown'
      The file 'pt_chown' is a helper binary for 'grantpt' (*note

Makeconfig

@@ -398,6 +398,8 @@ endif
 # test modules.
 ifeq ($(bind-now),yes)
 LDFLAGS-lib.so += -Wl,-z,now
+# Extra flags for dynamically linked non-test main programs.
+link-extra-flags += -Wl,-z,now
 endif
 
 # Command to run after every final link (executable or shared object).
@@ -426,7 +428,7 @@ ifndef +link-pie
 	     $(link-extra-libs)
 +link-pie-after-libc = $(+postctorS) $(+postinit)
 define +link-pie
-$(+link-pie-before-libc) $(rtld-LDFLAGS) $(link-libc) $(+link-pie-after-libc)
+$(+link-pie-before-libc) $(rtld-LDFLAGS) $(link-extra-flags) $(link-libc) $(+link-pie-after-libc)
 $(call after-link,$@)
 endef
 define +link-pie-tests
@@ -454,7 +456,7 @@ ifndef +link-static
 	      $(link-extra-libs-static)
 +link-static-after-libc = $(+postctorT) $(+postinit)
 define +link-static
-$(+link-static-before-libc) $(link-libc-static) $(+link-static-after-libc)
+$(+link-static-before-libc) $(link-extra-flags) $(link-libc-static) $(+link-static-after-libc)
 $(call after-link,$@)
 endef
 define +link-static-tests
@@ -485,7 +487,7 @@ else  # not build-pie-default
 	      $(link-extra-libs)
 +link-after-libc = $(+postctor) $(+postinit)
 define +link
-$(+link-before-libc) $(rtld-LDFLAGS) $(link-libc) $(+link-after-libc)
+$(+link-before-libc) $(rtld-LDFLAGS) $(link-extra-flags) $(link-libc) $(+link-after-libc)
 $(call after-link,$@)
 endef
 define +link-tests

NEWS

@@ -47,6 +47,9 @@ Deprecated and removed features, and other changes affecting compatibility:
 * The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub
   resolver have been removed from <resolv.h>.
 
+* With --enable-bind-now, installed programs are now linked with the
+  BIND_NOW flag.
+
 Changes to build and runtime requirements:
 
 * GCC 6.2 or later is required to build the GNU C Library.

manual/install.texi

@@ -204,10 +204,10 @@ number of routines called directly from assembler are excluded from this
 protection.
 
 @item --enable-bind-now
-Disable lazy binding for installed shared objects.  This provides
-additional security hardening because it enables full RELRO and a
-read-only global offset table (GOT), at the cost of slightly increased
-program load times.
+Disable lazy binding for installed shared objects and programs.  This
+provides additional security hardening because it enables full RELRO
+and a read-only global offset table (GOT), at the cost of slightly
+increased program load times.
 
 @pindex pt_chown
 @findex grantpt