From patchwork Tue Mar 11 17:09:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 872466
Delivered-To: patch@linaro.org
Received: by 2002:a5d:64ce:0:b0:38f:210b:807b with SMTP id f14csp1596267wri;
 Tue, 11 Mar 2025 10:19:15 -0700 (PDT)
X-Forwarded-Encrypted: i=3;
 AJvYcCWrU9MVfrkvWyblooAWaKkw2Kw2RxQ8nI/aWDj9igO6G+zxm8RPwnl4R79JJekKcBD+zQpDhQ==@linaro.org
X-Google-Smtp-Source: AGHT+IFkiePgxvrVmPoGXzePuW9J1O5G1ELQ6jXWLbhTqkGBDdUbPxEF5MtDUfdr+AW3rhzL35+6
X-Received: by 2002:a05:6102:a54:b0:4c1:b3a5:9fa with SMTP id
 ada2fe7eead31-4c30a6d2076mr11903084137.16.1741713555458;
 Tue, 11 Mar 2025 10:19:15 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1741713555; cv=pass;
 d=google.com; s=arc-20240605;
 b=ClMX0BdXsVe0T5XC/OI3QSACgB7nYvsUX5PDp04dn4UVYXv3p/mjz4oPt/lKte+NcB
 3ZCNPRLrZYT2/UCVt7FRH5Ya7rwwcBTHFXO2Hwfp55SlArr3V74Qjsa9tTeSHfcItcvh
 RHAEY0CjXYkAel0FXlDrsbDXdle+btWTT22OGPqfN8UFhTXA3hKJ+Ojd+mh2GZi9aOev
 EErI35Xr22xSKNW/Z3o5TZdFpZD4vl46v5PigeeEj2KuqKgCOAW4AZRox0tUOHN4hhIt
 Xs1dj7GzEF/aJbY9h+IoSantf51lbn41Xz+tWEhftufIqfA/zhAHWh+xALZpVZrxx7L6
 x1Lw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
 h=errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature:dkim-filter:arc-filter:dmarc-filter
 :delivered-to:dkim-filter;
 bh=Ict4xh+DXxkVkPFu5vpkKgS/fbpOwvrAHBBj+H+Gsf4=;
 fh=KcDe9xnl32Q8s5hC3CF4r26ysVeQspjxpbjrMk+PnIQ=;
 b=J8kpM5lRbs7E30yVlhsSv+n4RxAYU/8d82BytFFXAduADQ8IPI+gYZCCkBi7LrnmKQ
 HJYeItuk/HLgoaxS8UAIMVVQVWjOhZc8KHcfJ0JSraE7fR/1yrw/4hzBORQZZfm0XcrG
 wcTJo74vynlY0kr0tsSr6n+RNsG0akkDr4kmJ+qJe9W9D3aj4oHU29edVoecxtDVSJsT
 4uNloeGHZ7+WopTUXDwDgo2RQ4mz6G9svVTkByXqUroZdE6Tn2x/vbmQ3QQIiRl1SufB
 gfLBm2ySQ6dPolRD3mKSPUL0YDh+zRcX1NNo5sS6Gp5QvE0hQMJ3lzdOZeQOalnGy7FG
 kNYg==; dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=mfPcAgr9;
 arc=pass (i=1); spf=pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <libc-alpha-bounces~patch=linaro.org@sourceware.org>
Received: from server2.sourceware.org (server2.sourceware.org.
 [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id
 ada2fe7eead31-4c30c1e6c5asi2271390137.419.2025.03.11.10.19.15
 for <patch@linaro.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Mar 2025 10:19:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 client-ip=2620:52:3:1:0:246e:9693:128c;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=mfPcAgr9;
 arc=pass (i=1); spf=pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
 by sourceware.org (Postfix) with ESMTP id 89EA03857BA7
 for <patch@linaro.org>; Tue, 11 Mar 2025 17:19:09 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 89EA03857BA7
Authentication-Results: sourceware.org; dkim=pass (2048-bit key,
 unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256
 header.s=google header.b=mfPcAgr9
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com
 [IPv6:2607:f8b0:4864:20::1033])
 by sourceware.org (Postfix) with ESMTPS id A0E223857838
 for <libc-alpha@sourceware.org>; Tue, 11 Mar 2025 17:13:26 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A0E223857838
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A0E223857838
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::1033
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741713206; cv=none;
 b=ifKOGNE1peM/PKzkDRkQtONH5LFvzoVnZcb7R5P9oEzDa5M/MZDCaburlm7EJhQ79F9bTGU2NUID6/CeHterTIyta01qCcTcRr6m4UCgPDG6yB3Jt5YRW9FOcD8J1G4dv00e2MGg/6m5dqx7fmviyVD+T4Sob+q/MLU5QR6w+k8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1741713206; c=relaxed/simple;
 bh=JAlp5064dOB12re6bGkvg6yaNYsReC2ChCXUibrMBhg=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=VhxaJvfbdvxgyEiPcDgDBE1Zu0xaVgfCPORpeIPf6PYXTG+pA2VFwQUrYByA/nzhTvNdQp5WYA84iJgp1ig7nRQmfFzFEnWRiFyyRs316UOY48XafySOUdqfiMlA8mF8549FQEj8N9hP9godcJHoP5+ITB62ilNBZkcw4wVyEMA=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A0E223857838
Received: by mail-pj1-x1033.google.com with SMTP id
 98e67ed59e1d1-2ff6e91cff5so8402147a91.2
 for <libc-alpha@sourceware.org>; Tue, 11 Mar 2025 10:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1741713205; x=1742318005; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Ict4xh+DXxkVkPFu5vpkKgS/fbpOwvrAHBBj+H+Gsf4=;
 b=mfPcAgr9ft0E571AJmsbhCnKAIbrOVWf/BbvaRWPrX14ywddb16uxPnTxLaJSAsi9Z
 nzZo4GMOOSjKqDIiYPEO3Vide/eEG7ydTSVH/G/G1j21T+c7tEmSTw+wmZMmAr67ErlY
 Ipu+hBgiQXmrBIzltAczCaNTr7lLWNjlHColdfp8GtUNEoXR2mNUnJZjCeIR0t5cbAFA
 moSiTb1ib7MYEoysJc3fcO01GbtjdnvnygfzAWeL/RBxnzSCAY83G+9/AbJ5ArlFIIzP
 5nrXZ1sdcsKrxU5BOR8/nHAtitmzODmCLRVQ1kI4ZnMGqDq8MC7mLDbqWZChbKndSDdJ
 nrYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1741713205; x=1742318005;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Ict4xh+DXxkVkPFu5vpkKgS/fbpOwvrAHBBj+H+Gsf4=;
 b=ltrL/tsoxYllSQ6g66J/v3OHkAtwDcNjO49mGqvgDe4jHx0FkKAKSw3iVRwstZsSFk
 po3T0wZQ7l3/fo8qtkvKGKE6T40bHAf98R1cALMdyG1Rk7lr/kteEJFoDLKMIHIDrn8+
 jHB9ThHm91yC5GD8y7FLhKdk+M6etxfMMmomEvtsDlYTnL35RJaVaGkrsmn9JowfRpnJ
 tqzoZzExMPtXjPkKEFRkO+gXLLc9ytUesIej0N7qfYprAfedpeRnElRfWfoXQDxj1KVA
 L+RY/LscGHchDPXeoNFUWYNBc2BiuSpjpR3hnSYQRdesXW+/NUeE4AD4HXUUxZJFJL0L
 6BHw==
X-Gm-Message-State: AOJu0Yye9XHWKjmpmwxaS/lxoe5uj+9gn914K6YuamEEkuLFLNSvOyTI
 pC0yA+YKZXL5EqIDbmKapoEAB9YsSJ8bd2FCBWv3OKYufE+oA6DCOpn72YpSSpB6lgUFcnlm8iV
 b
X-Gm-Gg: ASbGncve7vWnAEI20wSDIIMPkx3A4tb1HZdx95UsiVMrPQ90PKNiR00s5FAim/W1f7c
 mVwOGT/AExRxy8kp1/XczSHHa5Fe0D2i0dDmdW6PoM87acj/zJ15ih1gmt0SIkbCxl9vaMmgEZg
 XkcgkRdAp+SsvQ+wA7IMWzIeSq8XRgdec9yfuwuo4iN0CDG5h2vigiAvKDhb+fykcVUgXRWXpcQ
 O1EOUexVUqIs+w7OFEMAkDqvMV1uNOup/eHAYc6xan+kebcltFW3LyN5zm/OOF0xkVvHaWk2+cc
 1Ee71qxIMkvHhN2BOSaB+oHogFGVIIcwIApEW4USlCHESmbfUWYz1LE=
X-Received: by 2002:a17:90b:38cd:b0:2ee:741c:e9f4 with SMTP id
 98e67ed59e1d1-2ff7ce8e5dfmr27902066a91.11.1741713205168;
 Tue, 11 Mar 2025 10:13:25 -0700 (PDT)
Received: from mandiga.. ([2804:1b3:a7c1:1ebf:8b5:8f5b:dd39:866])
 by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2ff693f8804sm11438131a91.47.2025.03.11.10.13.23
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 11 Mar 2025 10:13:24 -0700 (PDT)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Cc: Jeff Xu <jeffxu@google.com>, Florian Weimer <fweimer@redhat.com>,
 "H . J . Lu" <hjl.tools@gmail.com>,
 Yury Khrustalev <yury.khrustalev@arm.com>
Subject: [PATCH v6 6/9] Add --enable-memory-sealing configure option
Date: Tue, 11 Mar 2025 14:09:53 -0300
Message-ID: <20250311171305.89091-7-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20250311171305.89091-1-adhemerval.zanella@linaro.org>
References: <20250311171305.89091-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org

It allows all libraries, programs, and the testsuite in glibc to
be built with memory sealing if the toochain supports it.  The
default is disabled.

Checked on aarch64-linux-gnu and x86_64-linux-gnu.
---
 INSTALL             |  6 +++++
 Makeconfig          | 19 ++++++++++++++-
 Makerules           |  2 ++
 NEWS                |  3 +++
 configure           | 57 ++++++++++++++++++++++++++++++++++++++++++++-
 configure.ac        | 19 +++++++++++++++
 elf/Makefile        | 19 +++++++++++----
 manual/install.texi |  5 ++++
 8 files changed, 124 insertions(+), 6 deletions(-)

diff --git a/INSTALL b/INSTALL
index a56179a9c9..0c8e20f605 100644
--- a/INSTALL
+++ b/INSTALL
@@ -251,6 +251,12 @@ passed to 'configure'.  For example:
      Disable using 'scv' instruction for syscalls.  All syscalls will
      use 'sc' instead, even if the kernel supports 'scv'.  PowerPC only.
 
+'--enable-memory-sealing'
+     Build glibc libraries, programs, and the testsuite with memory
+     sealing support (GNU_PROPERTY_MEMORY_SEAL).  It does not disable
+     support for memory sealing, which will still be applied if the
+     program has the attribute.
+
 '--build=BUILD-SYSTEM'
 '--host=HOST-SYSTEM'
      These options are for cross-compiling.  If you specify both options
diff --git a/Makeconfig b/Makeconfig
index aa547a443f..1b0a9d95f1 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -389,6 +389,21 @@ dt-relr-ldflag =
 no-dt-relr-ldflag =
 endif
 
+# Linker options to enable and disable memory sealing (GNU_PROPERTY_MEMORY_SEAL),
+# if --enable--memory-sealing is used explicit enable memory sealing for the case
+# the linker defaults to it.
+ifeq ($(have-z-memory-seal),yes)
+no-memory-seal-ldflag = -Wl,-z,nomemory-seal
+ifeq ($(enable-memory-seal),yes)
+memory-seal-ldflag = -Wl,-z,memory-seal
+else
+memory-seal-ldflag = $(no-memory-seal-ldflag)
+endif
+else
+memory-seal-ldflag =
+no-memory-seal-ldflag =
+endif
+
 ifeq (no,$(build-pie-default))
 pie-default = $(no-pie-ccflag)
 else # build-pie-default
@@ -433,6 +448,7 @@ link-extra-libs-tests = $(libsupport)
 ifndef +link-pie
 +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \
 	     $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	     $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	     -Wl,-O1 -nostdlib -nostartfiles \
 	     $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
 	     $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
@@ -466,6 +482,7 @@ ifndef +link-static
 +link-static-before-inputs = -nostdlib -nostartfiles -static \
 	      $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \
 	      $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(static-pie-dt-relr-ldflag)) \
+	      $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F))  \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \
 	      $(+preinit) $(+prectorT)
@@ -542,7 +559,7 @@ endif  # +link
 # Command for linking test programs with crt1.o from glibc 2.0.
 +link-2.0-before-inputs = -nostdlib -nostartfiles $(no-pie-ldflag) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
-	      $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+	      $(relro-LDFLAGS) $(memory-seal-ldflag) $(hashstyle-LDFLAGS) \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(start-name-2.0)) \
 	      $(+preinit) $(+prector)
 +link-2.0-before-libc = -o $@ $(+link-2.0-before-inputs) \
diff --git a/Makerules b/Makerules
index ada616891e..02ce3949cf 100644
--- a/Makerules
+++ b/Makerules
@@ -544,6 +544,7 @@ define build-shlib-helper
 $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \
 	  $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \
 	  -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \
@@ -560,6 +561,7 @@ define build-module-helper
 $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  -B$(csu-objpfx) $(load-map-file) \
 	  $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \
 	  $(link-test-modules-rpath-link) \
diff --git a/NEWS b/NEWS
index fc460ede05..ff241b2863 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ Major new features:
   memory sealing will not be applied for its dependencies (and even if the
   objects has the memory sealing attribute).
 
+* A new configure option, "--enable-memory-sealing", can be used to build
+  the GNU C Library libraries and programs with memory sealing.
+
 Deprecated and removed features, and other changes affecting compatibility:
 
   [Add deprecations, removals and changes affecting compatibility here]
diff --git a/configure b/configure
index 80b4a63f1b..dda60ed91d 100755
--- a/configure
+++ b/configure
@@ -820,6 +820,7 @@ enable_mathvec
 enable_cet
 enable_scv
 enable_fortify_source
+enable_memory_sealing
 with_cpu
 '
       ac_precious_vars='build_alias
@@ -1505,6 +1506,8 @@ Optional Features:
                           Use -D_FORTIFY_SOURCE=[1|2|3] to control code
                           hardening, defaults to highest possible value
                           supported by the build compiler.
+  --enable-memory-sealing Build glibc libraries, programs, and the testsuite
+                          with memory sealing [default=no]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -4883,6 +4886,16 @@ case "$enable_fortify_source" in
 *) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;;
 esac
 
+# Check whether --enable-memory-sealing was given.
+if test ${enable_memory_sealing+y}
+then :
+  enableval=$enable_memory_sealing; enable_memory_sealing=$enableval
+else case e in #(
+  e) enable_memory_sealing=no ;;
+esac
+fi
+
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@@ -7410,6 +7423,49 @@ printf "%s\n" "$libc_cv_fpie" >&6; }
 
 
 
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for linker that supports -z memory-seal" >&5
+printf %s "checking for linker that supports -z memory-seal... " >&6; }
+libc_linker_feature=no
+cat > conftest.c <<EOF
+int _start (void) { return 42; }
+EOF
+if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
+		  -Wl,-z,memory-seal -nostdlib -nostartfiles
+		  -fPIC -shared -o conftest.so conftest.c
+		  1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }
+then
+  if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -Wl,-z,memory-seal -nostdlib \
+      -nostartfiles -fPIC -shared -o conftest.so conftest.c 2>&1 \
+      | grep "warning: -z memory-seal ignored" > /dev/null 2>&1; then
+    true
+  else
+    libc_linker_feature=yes
+  fi
+fi
+rm -f conftest*
+if test $libc_linker_feature = yes; then
+  libc_cv_z_memory_seal=yes
+else
+  libc_cv_z_memory_seal=no
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libc_linker_feature" >&5
+printf "%s\n" "$libc_linker_feature" >&6; }
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+config_vars="$config_vars
+have-z-memory-seal = $libc_cv_z_memory_seal"
+config_vars="$config_vars
+enable-memory-seal = $enable_memory_sealing"
+
+
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5
 printf %s "checking for GLOB_DAT reloc... " >&6; }
 if test ${libc_cv_has_glob_dat+y}
@@ -8945,7 +9001,6 @@ load-address-ldflag = $libc_cv_load_address_ldflag"
 
 # Check if compilers support GCS in branch protection:
 
-
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler supports -mbranch-protection=gcs" >&5
 printf %s "checking if compiler supports -mbranch-protection=gcs... " >&6; }
 if test ${libc_cv_cc_gcs+y}
diff --git a/configure.ac b/configure.ac
index 7d04b54c98..d514179e1b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,12 @@ case "$enable_fortify_source" in
 *) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);;
 esac
 
+AC_ARG_ENABLE([memory-sealing],
+	      AS_HELP_STRING([--enable-memory-sealing],
+			     [Build glibc libraries, programs, and the testsuite with memory sealing @<:@default=no@:>@]),
+	      [enable_memory_sealing=$enableval],
+	      [enable_memory_sealing=no])
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@@ -1360,6 +1366,19 @@ LIBC_TRY_CC_OPTION([-fpie], [libc_cv_fpie=yes], [libc_cv_fpie=no])
 
 AC_SUBST(libc_cv_fpie)
 
+LIBC_LINKER_FEATURE([-z memory-seal],
+		    [-Wl,-z,memory-seal],
+		    [libc_cv_z_memory_seal=yes],
+		    [libc_cv_z_memory_seal=no])
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+LIBC_CONFIG_VAR([have-z-memory-seal], [$libc_cv_z_memory_seal])
+LIBC_CONFIG_VAR([enable-memory-seal], [$enable_memory_sealing])
+
+
 AC_CACHE_CHECK(for GLOB_DAT reloc,
 	       libc_cv_has_glob_dat, [dnl
 cat > conftest.c <<EOF
diff --git a/elf/Makefile b/elf/Makefile
index 6f2489cce1..61d4b1bdb3 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -1502,6 +1502,7 @@ $(objpfx)ld.so: $(objpfx)librtld.os $(ld-map)
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@.new		\
 		  $(LDFLAGS-rtld) -Wl,-z,defs $(z-now-$(bind-now))	\
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  $(filter-out $(map-file),$^) $(load-map-file)		\
 		  -Wl,-soname=$(rtld-installed-name)
 	$(call after-link,$@.new)
@@ -1842,6 +1843,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so
 $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
 	$(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  -L$(subst :, -L,$(rpath-link)) \
 		  -Wl,-rpath-link=$(rpath-link) \
 		  $< -Wl,-F,$(objpfx)filtmod2.so
@@ -2466,6 +2468,7 @@ $(objpfx)tst-audit17.out: $(objpfx)tst-auditmod17.so
 # intended, so it uses an explicit link rule.
 $(objpfx)tst-auditmod17.so: $(objpfx)tst-auditmod17.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new \
+	$(memory-seal-ldflag) \
 	$(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -2526,12 +2529,13 @@ $(objpfx)tst-audit24bmod1: $(objpfx)tst-audit24bmod2.so
 # against libc.so.
 $(objpfx)tst-audit24bmod1.so: $(objpfx)tst-audit24bmod1.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod1.os \
-	  -Wl,-z,now
+	  -Wl,-z,now $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod1)
 $(objpfx)tst-audit24bmod2.so: $(objpfx)tst-audit24bmod2.os
-	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os
+	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os \
+	  $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod2)
@@ -2691,7 +2695,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
 # artificial, large note in tst-big-note-lib.o and invalidate the
 # test.
 $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o
-	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $<
+	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $(memory-seal-ldflag) $<
 
 $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so
 
@@ -2998,6 +3002,7 @@ $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \
   tst-ro-dynamic-mod.map
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@ \
 		$(dt-relr-ldflag) \
+		$(memory-seal-ldflag) \
 		-Wl,--script=tst-ro-dynamic-mod.map \
 		$(objpfx)tst-ro-dynamic-mod.os
 
@@ -3088,6 +3093,7 @@ $(objpfx)tst-relr2: $(objpfx)tst-relr-mod2.so
 $(objpfx)tst-relr-mod2.so: $(objpfx)tst-relr-mod2.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3098,6 +3104,7 @@ $(objpfx)tst-relr3: $(objpfx)tst-relr-mod3a.so
 $(objpfx)tst-relr-mod3b.so: $(objpfx)tst-relr-mod3b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3106,6 +3113,7 @@ $(objpfx)tst-relr-mod3a.so: $(objpfx)tst-relr-mod3a.os \
   $(objpfx)tst-relr-mod3b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3116,6 +3124,7 @@ $(objpfx)tst-relr4: $(objpfx)tst-relr-mod4a.so
 $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-Wl,--version-script=tst-relr-mod4b.map \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@@ -3124,6 +3133,7 @@ $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 $(objpfx)tst-relr-mod4a.so: $(objpfx)tst-relr-mod4a.os \
   $(objpfx)tst-relr-mod4b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
+	$(memory-seal-ldflag) \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@@ -3248,7 +3258,7 @@ $(objpfx)tst-env-setuid-static.out: $(objpfx)tst-sonamemove-runmod1.so
 # We do not use $(link-test-modules-rpath-link) since the object has no
 # DT_NEEDED.
 $(objpfx)tst-nodeps1-mod.so: $(objpfx)tst-nodeps1-mod.os
-	$(LINK.o) -nostartfiles -nostdlib -shared -o $@ $^
+	$(LINK.o) -nostartfiles -nostdlib -shared $(memory-seal-ldflag) -o $@ $^
 tst-nodeps1.so-no-z-defs = yes
 # Link libc.so before the test module with the IFUNC resolver reference.
 LDFLAGS-tst-nodeps1 = $(common-objpfx)libc.so $(objpfx)tst-nodeps1-mod.so
@@ -3400,6 +3410,7 @@ CFLAGS-tst-nolink-libc.c += $(no-stack-protector) \
  -fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables
 $(objpfx)tst-nolink-libc-1: $(objpfx)tst-nolink-libc.o $(objpfx)ld.so
 	$(LINK.o) -nostdlib -nostartfiles -o $@ $< \
+	  $(memory-seal-ldflag) \
 	  -Wl,--dynamic-linker=$(objpfx)ld.so,--no-as-needed $(objpfx)ld.so
 $(objpfx)tst-nolink-libc-1.out: $(objpfx)tst-nolink-libc-1 $(objpfx)ld.so
 	$< > $@ 2>&1; $(evaluate-test)
diff --git a/manual/install.texi b/manual/install.texi
index d001e8220b..7056768885 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -280,6 +280,11 @@ C++ libraries.
 Disable using @code{scv} instruction for syscalls. All syscalls will use
 @code{sc} instead, even if the kernel supports @code{scv}. PowerPC only.
 
+@item --disable-default-memory-seal
+Don't build glibc libraries, programs, and the testsuite with
+memory sealing support (@code{GNU_PROPERTY_MEMORY_SEAL}).  By default,
+memory sealing is enabled if toolchain suports the linker option.
+
 @item --build=@var{build-system}
 @itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and