chore: enable BIND_NOW when compiling Linux builds

We've hardened Linux builds by enabling PIE and RELRO, and should continue to try hardening Linux builds by enabling BIND_NOW. With both RELRO and BIND_NOW enabled, we can stop all GOT overwrite attacks. The same hardening option has been enabled in official Chrome/Chromium builds since more than five years ago. This helps to improve the security of a whole range of applications built upon Electron, including sensetive ones such as Signal-Desktop. Signed-off-by: Tom Li <tomli@tomli.me>
2026-04-10 03:01:51 -04:00 · 2018-10-15 02:13:37 +08:00
parent 2f2761fa47
commit 9f1e674f30
1 changed files with 2 additions and 0 deletions
--- a/electron.gyp
+++ b/electron.gyp
@@ -239,6 +239,8 @@
            'ldflags': [
              # Build as Position-Independent Executable to mitigate exploitations.
              '-pie',
+              # Enable BIND_NOW to prevent GOT overwrite attacks.
+              '-Wl,-z,now',
            ],
          },
          'cflags_cc': [