I noticed that with hardened profile, clang does not force full relro (-Wl,-z,now) while gcc does. Is that expected? Test can be done via a simple hello world and app-admin/checksec # cc hello.c && checksec --file=a.out RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 24) Symbols No 0 0 a.out # clang hello.c && checksec --file=a.out RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 24) Symbols No 0 0 a.out # clang hello.c -Wl,-z,now && checksec --file=a.out RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 24) Symbols No 0 0 a.out
Yes, this is known. commit d7e3de5bc89f7ea17ebc0ea0a1c9ad289a29cabb Author: Sam James <sam@gentoo.org> Date: Sat Aug 26 23:53:44 2023 +0100 sys-devel/clang-common: enable relro, enable bind_now (for hardened) * Always enable RELRO (-Wl,-z,relro) * Conditionally enable BIND_NOW (-Wl,-z,now) based on USE=hardened (for parity with gcc for now) Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/32465 Signed-off-by: Sam James <sam@gentoo.org> This should be the same behaviour as GCC right now.
(In reply to Sam James from comment #1) Note that this change was only made to >=17.
Well, since there aren't other bug reports about that, I'd say to keep it open until we stabilize clang-17 and then close