From patchwork Fri Dec 6 17:37:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella X-Patchwork-Id: 847841 Delivered-To: patch@linaro.org Received: by 2002:a5d:50c2:0:b0:385:e875:8a9e with SMTP id f2csp910760wrt; Fri, 6 Dec 2024 09:40:40 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXlLTmVRk9ue9ZBinAf4T+98QtqTHTjeN2HwnwvHs0K0b+Acfs3YuVdBzlaV1VlB1WPJORBWQ==@linaro.org X-Google-Smtp-Source: AGHT+IF6V751x5bW7uzLeLC5U92JMQTsK9h4xOISn+LRhHlvr8TXJYT7b2k6eO9e5XPafMUeI03+ X-Received: by 2002:a05:6102:5108:b0:4af:c245:7512 with SMTP id ada2fe7eead31-4afcaacf83amr4993966137.22.1733506840178; Fri, 06 Dec 2024 09:40:40 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1733506840; cv=pass; d=google.com; s=arc-20240605; b=BGOhAOn1HyBtO+zr98iS2dHQsJFuT8JNzW00Q70ezeYh5Ec8z/KRbxfKMWVlkTT2hq zqBakSmlvadiX4NAn/HjOtfq/SGu4w7qSIOwlGoMpIgt05gnbKX6ps0Qs2POPSc14vSW d8AvoB9tLMd9jYUsyiWW8PEYOue2qmd8NrErc3DXAJNqt17/RuCFyIe97qqp46Y76j0R XWxnYPwrCBULrD9E3X3BEOue1eVe2/koW15aH5BbtErt2sRpv8rmpsGw7oTLk8vwZSRg gfWeYTiezo4Q0+CnJyilVjL1o3hLnHMxEmGLrad2iC7/V9s4x+B7dynkBPIqvN1q3bR+ lwFQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature:dkim-filter:arc-filter:dmarc-filter :delivered-to:dkim-filter; bh=Gyii1SQ6RIA6zHr9mbG9Ucs5EB/FhzOEAiyXBEfSolw=; fh=39H2oohB6ZYGhyKHcKf9chiYMCdt+XzUdxuRAxp69qM=; b=gCs85YvfN8Wf/ZFH9YMhRm2VKc6fixhpq4I44efa78A5wFMgiJ+aOAodqsIuo0mo5X 7r+jBPGb/nkGUm6loc8I/mrB3WLk962BuuRfhzKmFZYjuKUtpqdaklfJA7roJMSlfPPH De3ZB0/pUW4dS1uPa9/PeLU8XjG2iuDJlCzUI7XfJ3TnCYZ4dxpaTrCfn9owpA+LkrSg ba0dqu9PmWMoBnL9SySVfT16YKeeF7lBtanLa2meXfIc/ESYonGUnG7/Ee0P77npG3Ku 0TT+lN3rzx56km7ZAGAh245oojl1ccmobz+5zDQ2ljTW1fGN3THltvIf0tmCXChE/6v8 9XQA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IUTJjfVh; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id ada2fe7eead31-4afbc5055b2si1392647137.7.2024.12.06.09.40.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Dec 2024 09:40:40 -0800 (PST) Received-SPF: pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IUTJjfVh; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces~patch=linaro.org@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id AB29F3858416 for ; Fri, 6 Dec 2024 17:40:39 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AB29F3858416 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=IUTJjfVh X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by sourceware.org (Postfix) with ESMTPS id 0BBC13858408 for ; Fri, 6 Dec 2024 17:39:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0BBC13858408 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0BBC13858408 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::62c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1733506752; cv=none; b=U9i9t0Zdi9qbyoeK2jL7qtqkAFXskW01au65ry1vYUWepatHIAvDIkwTWbcAVMcZIheVyESDvhzSa537piR79qAhIjWAv7C7POUzAhDs6aW7bbfxK8guVUWC54JqOLSR03ADOQ1WO3223SHrb12yy3d2Bj5vo19pBVmA9GILo6I= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1733506752; c=relaxed/simple; bh=iwYKWLwT0POd0KMBcVTNF7uI1Ua54hG0lBedxuuulU0=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=fifrF4VcJOmRPr5IHv/2+bSEKSVQqDKzamXxJiE9Lu7AvWQIZUhFN1EUXdEy/xs2dhxrr7ErzQZIMfUsBsU/eRanyKbTg8TNNmvrwXwUtSEhH3r117b0oqR232Mc+wB3cQ1qjgirCn1xetRURsVA3b5nl+qghrCR+V8dEwdEasI= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0BBC13858408 Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-215810fff52so26278205ad.1 for ; Fri, 06 Dec 2024 09:39:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1733506751; x=1734111551; darn=sourceware.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gyii1SQ6RIA6zHr9mbG9Ucs5EB/FhzOEAiyXBEfSolw=; b=IUTJjfVhD7Kk3a65I6t9Dy3Blfmne8xR6Skh4dH4reQf9daB8N3svukJcVOyYlzrJV 4ni9nGosPir9hKnx1yuvGE3ToFtquBdOsRLbVCr4AT6YAyXYDaFrGQTIYFnONkA7VGjA HIYwgM1JI9CAzvpEnqD85RYlDz/qNOhP0U3Vba+nVm1KeBXzoUqjljVdzu9NKe9+5TOB FIjz2t9f341NPArIwjeF8w/JU3+qEGDLoMvbcY751NLC9NVZQ7Dqf7PCxSrfXUAt26sm aU94X0vanSf7KHsDRt5JhL4o8d6BDRJ+3m1ZNe3UL3Qzc8fiwt2KmrbDMMnigXn1g3NB ubUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733506751; x=1734111551; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gyii1SQ6RIA6zHr9mbG9Ucs5EB/FhzOEAiyXBEfSolw=; b=J7YX0HGdd9u71oz49oaOZ/eHoaPNOyoOb9hNJQLOF31CrKPXDRf+UYlkjZOqLXYzP4 S2vyXnbpd8MupdQO1U6xvM0m9wAZ7POiBEAR6Zk9tUW3bTpTpqzfWcfDzwCqdY/1TYc9 ZhofAib6iLifstGb7iYVCFPX7cBFoQ8dn1MUbRf9xfwnXMDP+eMC4UHHCkQGbPJ34v8D lgJ7031dFcf7UIvN0+HkgIT9QtJZQJ5QYv3YXAdsW498zSjt2gYXjKtOSRRiOz6kRqrV Y0WlJZnO1Wdh/MgUbvCTWTDo92rDFOsqHf0Pk12MwzA9CjM6FRRvbawg3v/yXpH8PytH RJCQ== X-Gm-Message-State: AOJu0Yy24pmjmjkvfkMYewuPHu5NHsd/aJeTO/FkVXKyQxY8Ss9WHW5l 0IjwwbqitFioRw1e9DRUBliX0ai4nm42K0HCv/Hcl2ZpuleQ0gSmG0Y5vKOAZyGRO0rmgCqn3w0 6 X-Gm-Gg: ASbGnctu77GsxbNdSm2r5v/iqMzHgU4VQcPpPbh1XRcWVYSwK4A95YQts/Rej/firiZ RfiInBrqi6hoZIfRNemi/CTFbsLRHKMWGxGHJK6q8LTa/zP7VOI0IoO5SmWXVUoZCTSukXuL7Hd ftBluSmd71jSCFltTkFV/7fzUoRgrepBttS7LAAQA7y/2Qz2aQP/mPOHoxWBBDY7D558+eMhyln LR08xV1IgIfojoYmAsAqzaGnhmvtKRyQSrWFU69KBe07ZuIM01QejugQlkibg== X-Received: by 2002:a17:903:228c:b0:212:615f:c1 with SMTP id d9443c01a7336-21614d354e0mr59081195ad.14.1733506750612; Fri, 06 Dec 2024 09:39:10 -0800 (PST) Received: from mandiga.. ([2804:1b3:a7c2:2d1:1460:dd43:b597:c3fc]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-215f8f29635sm31409495ad.241.2024.12.06.09.39.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Dec 2024 09:39:10 -0800 (PST) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Jeff Xu , Florian Weimer , Mike Hommey , "H . J . Lu" Subject: [PATCH v4 7/9] Enable memory sealing automatically Date: Fri, 6 Dec 2024 14:37:55 -0300 Message-ID: <20241206173850.3766841-8-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241206173850.3766841-1-adhemerval.zanella@linaro.org> References: <20241206173850.3766841-1-adhemerval.zanella@linaro.org> MIME-Version: 1.0 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org All libraries, programs, and the testsuite in glibc are now build with memory sealing by default if the toochain supports it. A new configure option, --disable-default-memory-seal, disables it. Checked on aarch64-linux-gnu. --- INSTALL | 5 ++++ Makeconfig | 17 ++++++++++++++ Makerules | 2 ++ NEWS | 4 ++++ configure | 57 +++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 19 +++++++++++++++ elf/Makefile | 1 + manual/install.texi | 5 ++++ 8 files changed, 110 insertions(+) diff --git a/INSTALL b/INSTALL index 24e3c8d25b..2a340514c2 100644 --- a/INSTALL +++ b/INSTALL @@ -245,6 +245,11 @@ if 'CFLAGS' is specified it must enable optimization. For example: Disable using 'scv' instruction for syscalls. All syscalls will use 'sc' instead, even if the kernel supports 'scv'. PowerPC only. +'--disable-default-memory-seal' + Don't build glibc libraries, programs, and the testsuite with + memory sealing support (GNU_PROPERTY_MEMORY_SEAL). By default, + memory sealing is enabled if toolchain suports the linker option. + '--build=BUILD-SYSTEM' '--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both options diff --git a/Makeconfig b/Makeconfig index a0abc2239b..6c74155b7c 100644 --- a/Makeconfig +++ b/Makeconfig @@ -389,6 +389,21 @@ dt-relr-ldflag = no-dt-relr-ldflag = endif +# Linker options to enable and disable memory sealing (GNU_PROPERTY_MEMORY_SEAL), +# if --disable-default-memory-sealing is used explicit disable memory sealing for +# the case linker defaults to it. +ifeq ($(have-z-memory-seal),yes) +no-memory-seal-ldflag = -Wl,-z,nomemory-seal +ifeq ($(default-memory-seal),yes) +memory-seal-ldflag = -Wl,-z,memory-seal +else +memory-seal-ldflag = $(no-memory-seal-ldflag) +endif +else +memory-seal-ldflag = +no-memory-seal-ldflag = +endif + ifeq (no,$(build-pie-default)) pie-default = $(no-pie-ccflag) else # build-pie-default @@ -433,6 +448,7 @@ link-extra-libs-tests = $(libsupport) ifndef +link-pie +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \ $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \ + $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \ -Wl,-O1 -nostdlib -nostartfiles \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ @@ -466,6 +482,7 @@ ifndef +link-static +link-static-before-inputs = -nostdlib -nostartfiles -static \ $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \ $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(static-pie-dt-relr-ldflag)) \ + $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \ $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \ $(+preinit) $(+prectorT) diff --git a/Makerules b/Makerules index 275110dda8..f2240ed2df 100644 --- a/Makerules +++ b/Makerules @@ -539,6 +539,7 @@ define build-shlib-helper $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \ $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \ + $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \ $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \ $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \ -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \ @@ -555,6 +556,7 @@ define build-module-helper $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \ $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \ $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \ + $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \ -B$(csu-objpfx) $(load-map-file) \ $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \ $(link-test-modules-rpath-link) \ diff --git a/NEWS b/NEWS index 723dac1ccc..302babf497 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,10 @@ Major new features: the binary, any preload and audit modules, and aby library loaded with RTLD_NODELETE. +* All libraries, progras, and the testsuite in glibc are now build with + memory sealing by default if the toochain supports it. A new configure + option, --disable-default-memory-seal, disables it. + Deprecated and removed features, and other changes affecting compatibility: * The big-endian ARC port (arceb-linux-gnu) has been removed. diff --git a/configure b/configure index e99c0d23af..f006956475 100755 --- a/configure +++ b/configure @@ -809,6 +809,7 @@ enable_mathvec enable_cet enable_scv enable_fortify_source +enable_default_memory_sealing with_cpu ' ac_precious_vars='build_alias @@ -1492,6 +1493,9 @@ Optional Features: Use -D_FORTIFY_SOURCE=[1|2|3] to control code hardening, defaults to highest possible value supported by the build compiler. + --disable-default-memory-sealing + Do not build glibc libraries, programs, and the + testsuite with memory sealing [default=no] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -4856,6 +4860,16 @@ case "$enable_fortify_source" in *) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;; esac +# Check whether --enable-default-memory-sealing was given. +if test ${enable_default_memory_sealing+y} +then : + enableval=$enable_default_memory_sealing; default_memory_sealing=$enableval +else case e in #( + e) default_memory_sealing=yes ;; +esac +fi + + # We keep the original values in `$config_*' and never modify them, so we # can write them unchanged into config.make. Everything else uses # $machine, $vendor, and $os, and changes them whenever convenient. @@ -7103,6 +7117,49 @@ printf "%s\n" "$libc_linker_feature" >&6; } config_vars="$config_vars have-no-dynamic-linker = $libc_cv_no_dynamic_linker" +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for linker that supports -z memory-seal" >&5 +printf %s "checking for linker that supports -z memory-seal... " >&6; } +libc_linker_feature=no +cat > conftest.c <&5 + (eval $ac_try) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; } +then + if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -Wl,-z,memory-seal -nostdlib \ + -nostartfiles -fPIC -shared -o conftest.so conftest.c 2>&1 \ + | grep "warning: -z memory-seal ignored" > /dev/null 2>&1; then + true + else + libc_linker_feature=yes + fi +fi +rm -f conftest* +if test $libc_linker_feature = yes; then + libc_cv_z_memory_seal=yes +else + libc_cv_z_memory_seal=no +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libc_linker_feature" >&5 +printf "%s\n" "$libc_linker_feature" >&6; } + +# Enable memory-sealing iff it is available and glibc is not configured +# with --disable-defautl-memory-sealing +if test "$libc_cv_z_memory_seal" = no; then + default_memory_sealing=no +fi +config_vars="$config_vars +have-z-memory-seal = $libc_cv_z_memory_seal" +config_vars="$config_vars +default-memory-seal = $default_memory_sealing" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for -static-pie" >&5 printf %s "checking for -static-pie... " >&6; } if test ${libc_cv_static_pie+y} diff --git a/configure.ac b/configure.ac index 06a9c3f252..b88c52a8f4 100644 --- a/configure.ac +++ b/configure.ac @@ -426,6 +426,12 @@ case "$enable_fortify_source" in *) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);; esac +AC_ARG_ENABLE([default-memory-sealing], + AS_HELP_STRING([--disable-default-memory-sealing], + [Do not build glibc libraries, programs, and the testsuite with memory sealing @<:@default=no@:>@]), + [default_memory_sealing=$enableval], + [default_memory_sealing=yes]) + # We keep the original values in `$config_*' and never modify them, so we # can write them unchanged into config.make. Everything else uses # $machine, $vendor, and $os, and changes them whenever convenient. @@ -1278,6 +1284,19 @@ LIBC_LINKER_FEATURE([--no-dynamic-linker], [libc_cv_no_dynamic_linker=no]) LIBC_CONFIG_VAR([have-no-dynamic-linker], [$libc_cv_no_dynamic_linker]) +LIBC_LINKER_FEATURE([-z memory-seal], + [-Wl,-z,memory-seal], + [libc_cv_z_memory_seal=yes], + [libc_cv_z_memory_seal=no]) + +# Enable memory-sealing iff it is available and glibc is not configured +# with --disable-defautl-memory-sealing +if test "$libc_cv_z_memory_seal" = no; then + default_memory_sealing=no +fi +LIBC_CONFIG_VAR([have-z-memory-seal], [$libc_cv_z_memory_seal]) +LIBC_CONFIG_VAR([default-memory-seal], [$default_memory_sealing]) + AC_CACHE_CHECK(for -static-pie, libc_cv_static_pie, [dnl LIBC_TRY_CC_OPTION([-static-pie], [libc_cv_static_pie=yes], diff --git a/elf/Makefile b/elf/Makefile index 9172d7306e..8eef4ccfe1 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -1447,6 +1447,7 @@ $(objpfx)ld.so: $(objpfx)librtld.os $(ld-map) $(LINK.o) -nostdlib -nostartfiles -shared -o $@.new \ $(LDFLAGS-rtld) -Wl,-z,defs $(z-now-$(bind-now)) \ $(dt-relr-ldflag) \ + $(memory-seal-ldflag) \ $(filter-out $(map-file),$^) $(load-map-file) \ -Wl,-soname=$(rtld-installed-name) $(call after-link,$@.new) diff --git a/manual/install.texi b/manual/install.texi index 3e68a3d823..58363e8a9c 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -272,6 +272,11 @@ C++ libraries. Disable using @code{scv} instruction for syscalls. All syscalls will use @code{sc} instead, even if the kernel supports @code{scv}. PowerPC only. +@item --disable-default-memory-seal +Don't build glibc libraries, programs, and the testsuite with +memory sealing support (@code{GNU_PROPERTY_MEMORY_SEAL}). By default, +memory sealing is enabled if toolchain suports the linker option. + @item --build=@var{build-system} @itemx --host=@var{host-system} These options are for cross-compiling. If you specify both options and