From patchwork Wed Jan 29 17:22:41 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adhemerval Zanella <adhemerval.zanella@linaro.org>
X-Patchwork-Id: 860673
Delivered-To: patch@linaro.org
Received: by 2002:a5d:53cb:0:b0:385:e875:8a9e with SMTP id a11csp298187wrw;
 Wed, 29 Jan 2025 09:36:05 -0800 (PST)
X-Forwarded-Encrypted: i=3;
 AJvYcCX+1Ki9rDWU9eZMshzkSeQ/WkKmFdKU4eGzYik+h742FNbvbAbAy8/i+dO104BEnu1Pwb+mxA==@linaro.org
X-Google-Smtp-Source: AGHT+IEvBGuTc7o3XXIpUxU8lm6WmkbGvoQTy3VRMmhstvx1uqZw+HJlVk5MY84C07dYbl59nJOc
X-Received: by 2002:a05:6214:124f:b0:6df:99f7:a616 with SMTP id
 6a1803df08f44-6e243b96bc5mr63035686d6.2.1738172165063;
 Wed, 29 Jan 2025 09:36:05 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1738172165; cv=pass;
 d=google.com; s=arc-20240605;
 b=gl9m0i8m76qVnvDcbZgv8ni5BUIFZERoxKwZqxXzDZNQQBPcsGUxHeQWFsoPiJcUyM
 Kt71OfMne9W8/bYqoKlhLvW2O8DCvSA5Tr2mRuNdq+yADjgf/7z0b/trHKzo8j4gvkRD
 Be/L2S35UGSEKS8mMSlbxBgrWh4gUL1Rl1FUwSL8XppEXaI6Q1PqfSQ9tVGpg0lgn+Np
 z3d001aFfxvlS2nv7zN55CzwRdih6NSbYxRkJeUgo6z6Wu+mjPHrzPC7LFvy4XdjEVxs
 zcmnUXhsQ1m1KWdWXeAG1bGk4fR2fz4rLLIstR2Em/EZS64nJIeScStvyGL+MDxdKBtf
 i9/w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
 h=errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature:dkim-filter:arc-filter:dmarc-filter
 :delivered-to:dkim-filter;
 bh=JLNgtq9seAcUVlZ2sz/10lyMiC5HBB72ZNtHrjtgZaE=;
 fh=NxP0gPoitL2xwHLpRPwMy6HQGuc/oe1BSm1HN6gGwGQ=;
 b=bIchVU+/vKUpxVG+8EXevMGvdX2+SID5f13+7qvPZ1C0hJ7aC/YIdRWMj5LHq0QWrs
 ou9Dk5nA5YmbA+CQMFxBlLsae9A9qZaTdamlaVN73GjDSf0MOjCVNhF0ue71VcOTy+tn
 x+j3g9N1SxsRh4+yzjALYdkBIOvVwOfKAZ1s1BSvmRCT7I32wOAcIGeBOnFVgR3bVh8I
 fDj65edcOCk8CVqvm4ZwjbvAdycdOcX2BZbpAe4cgRhsM3+OUgNGOqwl+Wdfbmb6OEol
 RlhmWoQOH5k2+UuS6HYFkSwANarQxHsrHbEDUkpOfWG4uEZbattCBv/s16sbqJM6dNxp
 vDoQ==; dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=pTY0iAbn;
 arc=pass (i=1); spf=pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <libc-alpha-bounces~patch=linaro.org@sourceware.org>
Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97])
 by mx.google.com with ESMTPS id
 6a1803df08f44-6e205f01f92si154284336d6.320.2025.01.29.09.36.04
 for <patch@linaro.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 29 Jan 2025 09:36:05 -0800 (PST)
Received-SPF: pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=pTY0iAbn;
 arc=pass (i=1); spf=pass (google.com: domain of
 libc-alpha-bounces~patch=linaro.org@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="libc-alpha-bounces~patch=linaro.org@sourceware.org";
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
 by sourceware.org (Postfix) with ESMTP id 9E551385829B
 for <patch@linaro.org>; Wed, 29 Jan 2025 17:36:04 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9E551385829B
Authentication-Results: sourceware.org; dkim=pass (2048-bit key,
 unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256
 header.s=google header.b=pTY0iAbn
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com
 [IPv6:2607:f8b0:4864:20::635])
 by sourceware.org (Postfix) with ESMTPS id B61313857B96
 for <libc-alpha@sourceware.org>; Wed, 29 Jan 2025 17:26:09 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B61313857B96
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B61313857B96
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::635
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1738171570; cv=none;
 b=Wid37h2T8vphrZqoSeR0l6WAWdtR0DQx4Enh2w+UrCMzVNzn1/hd0rBmgIqByRSSJkSk7Df9hqyw5XYMQKbt9AA8QO306SkHnd+RYqVkbuERVQcA7WpcnFRmlaCMIz9LdNbAZhxbbM1EcAVk4xMP0cksv6onVulcgghud3LNNHY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1738171570; c=relaxed/simple;
 bh=vehu+h6J7WewuLCBnVZUwbwmyPsJxS+e6dZajYJfazk=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=gu93ahgZVT3v+oSUnP7uTjCI/AnTYtWtksxS0aDL+BEAVDJsgnNv6OLSBcCykyXuej3D9rElacYrYjuAdofnK4hOjNZXWvpVLnsxLi1xSV/hz5cUJl+a2Url0+L15ycDiCIo1kM8zyzrSFGJDBoCmcZf8DfE5VyIYhsFez+mAek=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B61313857B96
Received: by mail-pl1-x635.google.com with SMTP id
 d9443c01a7336-216401de828so134086565ad.3
 for <libc-alpha@sourceware.org>; Wed, 29 Jan 2025 09:26:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=linaro.org; s=google; t=1738171568; x=1738776368; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=JLNgtq9seAcUVlZ2sz/10lyMiC5HBB72ZNtHrjtgZaE=;
 b=pTY0iAbn8UmsdWVGtViadt67kI77qR48GQ3sgyVJRoUCgfjhgFvI6SBTW6JqTd0q7b
 GozgtLq5Z/Qa32IR4T84YjxLWg6Bn7b1aluGAnoGS6hQaTDORsOsKCx27/2ToLpUkffq
 f76wAIr+tA84wgmCZvHe8pzN/uv9E4yLzVvi9/lFgR9TuKGST10RerwimWJzEwVWneMR
 kR4xlxydcmGhb9/DWliDRf0gOo1Vmyz38NtDZSoAy4QA5bJgsQQ4CTj1Kr+6kqKBAxdH
 iDM9ULx7+ypiPiSB4MWpVDjB0rZsZOseVAQbuGbYpQUZwjVeyA6Ibeu9Hue9iw+exphs
 hlKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1738171568; x=1738776368;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=JLNgtq9seAcUVlZ2sz/10lyMiC5HBB72ZNtHrjtgZaE=;
 b=BPql2SyxgseahwRLlS+BCUolB2W03iUx3WRoC/Xct2oqhvXeZKf5ahpS7APsGPQtkA
 Lcf3mANJGd1FOIAPCVLqfggO0OXGmdP09PZs1kXiYRscdjg5qFlGxcytVfHkHRNTY4V4
 WIqjvCl8BPGpPJDlP6uACyO5mfskJn0bYJNYQtgKn8j94e9kdtBkTeyTBU0pQlFVSCXc
 jCFGC65p775WLZgeinXH1x1od5vjxSrtVmqLJRnqLI8WGzuMBzAWGw+5lOoEh0nJOGO3
 B8XJlsJEH0d5z1M66+Hs8Yvn4uxdDpkrLPs7Ajx0MKG7TWkjJy+Ou6VH8WiEZE38gzf0
 Tfkw==
X-Gm-Message-State: AOJu0Yx6fjNOQk8rgn2oAjDJBrsCTb+B100rD9TKydKw7s97SyO2oMdO
 J7u/2M4ZLah8fdnqxpolohg1MdapGoI6IEQVVfgv3wfNqIvK72Iw/20oqxHdpvRHV30SWY7YM9I
 +
X-Gm-Gg: ASbGnctPk1lrlCMamP21FATxunYPlZHV6wlww49mhDoOTYvcRG3xJ+hAfP+1z/hrqff
 1Vl9XPLKKSDcW6gwUY5Ft4oFwKpAxm71qpD4dncSpxifCSYhNJ9OlOvpZTP1iZqM2/xrEu/Iwl/
 Vuq2mxs5M+p67lZ6+TOYtG1hZzgBy1oSrHLMuQdPji3p5ALzR06vWI9s+CcZbhS6GhbvSiTAHbE
 2QjoqffsPOuN2Cw3S1MbGFf03ddIQBTQNY+UO8CD52MACEUeoYrFE2p0ZkJ11lrF877xMEr6P/9
 G15XSup86mwFJ92UVndUY8de76WkE2fxTwrJX5M=
X-Received: by 2002:a17:902:ce8a:b0:215:e685:fa25 with SMTP id
 d9443c01a7336-21dd7d80fefmr56529225ad.20.1738171568308;
 Wed, 29 Jan 2025 09:26:08 -0800 (PST)
Received: from mandiga.. ([2804:1b3:a7c2:2a23:584e:68a2:9131:7209])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-21da3ea1c2asm102082535ad.54.2025.01.29.09.26.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 29 Jan 2025 09:26:07 -0800 (PST)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Cc: Jeff Xu <jeffxu@google.com>, Florian Weimer <fweimer@redhat.com>,
 "H . J . Lu" <hjl.tools@gmail.com>
Subject: [PATCH v8 7/8] Enable memory sealing automatically
Date: Wed, 29 Jan 2025 14:22:41 -0300
Message-ID: <20250129172550.1119706-8-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20250129172550.1119706-1-adhemerval.zanella@linaro.org>
References: <20250129172550.1119706-1-adhemerval.zanella@linaro.org>
MIME-Version: 1.0
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patch=linaro.org@sourceware.org

All libraries, programs, and the testsuite in glibc are now build with
memory sealing by default if the toochain supports it.  A new configure
option, --disable-default-memory-seal, disables it.

Checked on aarch64-linux-gnu and x86_64-linux-gnu.
---
 INSTALL             |  5 ++++
 Makeconfig          | 19 ++++++++++++++-
 Makerules           |  2 ++
 NEWS                |  4 ++++
 configure           | 58 +++++++++++++++++++++++++++++++++++++++++++++
 configure.ac        | 20 ++++++++++++++++
 elf/Makefile        | 19 +++++++++++----
 manual/install.texi |  5 ++++
 8 files changed, 127 insertions(+), 5 deletions(-)

diff --git a/INSTALL b/INSTALL
index a56179a9c9..3344bb0c6a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -251,6 +251,11 @@ passed to 'configure'.  For example:
      Disable using 'scv' instruction for syscalls.  All syscalls will
      use 'sc' instead, even if the kernel supports 'scv'.  PowerPC only.
 
+'--disable-default-memory-seal'
+     Don't build glibc libraries, programs, and the testsuite with
+     memory sealing support (GNU_PROPERTY_MEMORY_SEAL).  By default,
+     memory sealing is enabled if toolchain suports the linker option.
+
 '--build=BUILD-SYSTEM'
 '--host=HOST-SYSTEM'
      These options are for cross-compiling.  If you specify both options
diff --git a/Makeconfig b/Makeconfig
index d0108d2caa..2d783c2398 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -389,6 +389,21 @@ dt-relr-ldflag =
 no-dt-relr-ldflag =
 endif
 
+# Linker options to enable and disable memory sealing (GNU_PROPERTY_MEMORY_SEAL),
+# if --disable-default-memory-sealing is used explicit disable memory sealing for
+# the case linker defaults to it.
+ifeq ($(have-z-memory-seal),yes)
+no-memory-seal-ldflag = -Wl,-z,nomemory-seal
+ifeq ($(default-memory-seal),yes)
+memory-seal-ldflag = -Wl,-z,memory-seal
+else
+memory-seal-ldflag = $(no-memory-seal-ldflag)
+endif
+else
+memory-seal-ldflag =
+no-memory-seal-ldflag =
+endif
+
 ifeq (no,$(build-pie-default))
 pie-default = $(no-pie-ccflag)
 else # build-pie-default
@@ -433,6 +448,7 @@ link-extra-libs-tests = $(libsupport)
 ifndef +link-pie
 +link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \
 	     $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	     $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	     -Wl,-O1 -nostdlib -nostartfiles \
 	     $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
 	     $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
@@ -466,6 +482,7 @@ ifndef +link-static
 +link-static-before-inputs = -nostdlib -nostartfiles -static \
 	      $(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \
 	      $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(static-pie-dt-relr-ldflag)) \
+	      $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F))  \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \
 	      $(+preinit) $(+prectorT)
@@ -542,7 +559,7 @@ endif  # +link
 # Command for linking test programs with crt1.o from glibc 2.0.
 +link-2.0-before-inputs = -nostdlib -nostartfiles $(no-pie-ldflag) \
 	      $(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
-	      $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+	      $(relro-LDFLAGS) $(memory-seal-ldflag) $(hashstyle-LDFLAGS) \
 	      $(firstword $(CRT-$(@F)) $(csu-objpfx)$(start-name-2.0)) \
 	      $(+preinit) $(+prector)
 +link-2.0-before-libc = -o $@ $(+link-2.0-before-inputs) \
diff --git a/Makerules b/Makerules
index ada616891e..02ce3949cf 100644
--- a/Makerules
+++ b/Makerules
@@ -544,6 +544,7 @@ define build-shlib-helper
 $(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  $(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \
 	  $(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \
 	  -Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \
@@ -560,6 +561,7 @@ define build-module-helper
 $(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \
 	  $(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \
 	  $(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+	  $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
 	  -B$(csu-objpfx) $(load-map-file) \
 	  $(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \
 	  $(link-test-modules-rpath-link) \
diff --git a/NEWS b/NEWS
index c35ac3ed28..5e0f55718c 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,10 @@ Major new features:
   the binary, any preload and audit modules, and aby library loaded with
   RTLD_NODELETE.
 
+* All libraries, programs, and the testsuite in glibc are now build with
+  memory sealing by default if the toochain supports it.  A new configure
+  option, --disable-default-memory-seal, disables it.
+
 Deprecated and removed features, and other changes affecting compatibility:
 
   [Add deprecations, removals and changes affecting compatibility here]
diff --git a/configure b/configure
index eb8abd0054..8110d57bae 100755
--- a/configure
+++ b/configure
@@ -819,6 +819,7 @@ enable_mathvec
 enable_cet
 enable_scv
 enable_fortify_source
+enable_default_memory_sealing
 with_cpu
 '
       ac_precious_vars='build_alias
@@ -1504,6 +1505,9 @@ Optional Features:
                           Use -D_FORTIFY_SOURCE=[1|2|3] to control code
                           hardening, defaults to highest possible value
                           supported by the build compiler.
+  --disable-default-memory-sealing
+                          Do not build glibc libraries, programs, and the
+                          testsuite with memory sealing [default=no]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -4882,6 +4886,16 @@ case "$enable_fortify_source" in
 *) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;;
 esac
 
+# Check whether --enable-default-memory-sealing was given.
+if test ${enable_default_memory_sealing+y}
+then :
+  enableval=$enable_default_memory_sealing; default_memory_sealing=$enableval
+else case e in #(
+  e) default_memory_sealing=yes ;;
+esac
+fi
+
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@@ -7375,6 +7389,50 @@ printf "%s\n" "$libc_cv_fpie" >&6; }
 
 
 
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for linker that supports -z memory-seal" >&5
+printf %s "checking for linker that supports -z memory-seal... " >&6; }
+libc_linker_feature=no
+cat > conftest.c <<EOF
+int _start (void) { return 42; }
+EOF
+if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
+		  -Wl,-z,memory-seal -nostdlib -nostartfiles
+		  -fPIC -shared -o conftest.so conftest.c
+		  1>&5'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }
+then
+  if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -Wl,-z,memory-seal -nostdlib \
+      -nostartfiles -fPIC -shared -o conftest.so conftest.c 2>&1 \
+      | grep "warning: -z memory-seal ignored" > /dev/null 2>&1; then
+    true
+  else
+    libc_linker_feature=yes
+  fi
+fi
+rm -f conftest*
+if test $libc_linker_feature = yes; then
+  libc_cv_z_memory_seal=yes
+else
+  libc_cv_z_memory_seal=no
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libc_linker_feature" >&5
+printf "%s\n" "$libc_linker_feature" >&6; }
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+config_vars="$config_vars
+have-z-memory-seal = $libc_cv_z_memory_seal"
+config_vars="$config_vars
+default-memory-seal = $default_memory_sealing"
+
+
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5
 printf %s "checking for GLOB_DAT reloc... " >&6; }
 if test ${libc_cv_has_glob_dat+y}
diff --git a/configure.ac b/configure.ac
index 050bfa65e3..000b8c5a7c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -440,6 +440,12 @@ case "$enable_fortify_source" in
 *) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);;
 esac
 
+AC_ARG_ENABLE([default-memory-sealing],
+	      AS_HELP_STRING([--disable-default-memory-sealing],
+			     [Do not build glibc libraries, programs, and the testsuite with memory sealing @<:@default=no@:>@]),
+	      [default_memory_sealing=$enableval],
+	      [default_memory_sealing=yes])
+
 # We keep the original values in `$config_*' and never modify them, so we
 # can write them unchanged into config.make.  Everything else uses
 # $machine, $vendor, and $os, and changes them whenever convenient.
@@ -1356,6 +1362,20 @@ LIBC_TRY_CC_OPTION([-fpie], [libc_cv_fpie=yes], [libc_cv_fpie=no])
 
 AC_SUBST(libc_cv_fpie)
 
+
+LIBC_LINKER_FEATURE([-z memory-seal],
+		    [-Wl,-z,memory-seal],
+		    [libc_cv_z_memory_seal=yes],
+		    [libc_cv_z_memory_seal=no])
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+  default_memory_sealing=no
+fi
+LIBC_CONFIG_VAR([have-z-memory-seal], [$libc_cv_z_memory_seal])
+LIBC_CONFIG_VAR([default-memory-seal], [$default_memory_sealing])
+
+
 AC_CACHE_CHECK(for GLOB_DAT reloc,
 	       libc_cv_has_glob_dat, [dnl
 cat > conftest.c <<EOF
diff --git a/elf/Makefile b/elf/Makefile
index 4b1d0d8741..cd1cb0541d 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -1496,6 +1496,7 @@ $(objpfx)ld.so: $(objpfx)librtld.os $(ld-map)
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@.new		\
 		  $(LDFLAGS-rtld) -Wl,-z,defs $(z-now-$(bind-now))	\
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  $(filter-out $(map-file),$^) $(load-map-file)		\
 		  -Wl,-soname=$(rtld-installed-name)
 	$(call after-link,$@.new)
@@ -1836,6 +1837,7 @@ $(objpfx)nodlopen2.out: $(objpfx)nodlopenmod2.so
 $(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
 	$(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \
 		  $(dt-relr-ldflag) \
+		  $(memory-seal-ldflag) \
 		  -L$(subst :, -L,$(rpath-link)) \
 		  -Wl,-rpath-link=$(rpath-link) \
 		  $< -Wl,-F,$(objpfx)filtmod2.so
@@ -2453,6 +2455,7 @@ $(objpfx)tst-audit17.out: $(objpfx)tst-auditmod17.so
 # intended, so it uses an explicit link rule.
 $(objpfx)tst-auditmod17.so: $(objpfx)tst-auditmod17.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new \
+	$(memory-seal-ldflag) \
 	$(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -2513,12 +2516,13 @@ $(objpfx)tst-audit24bmod1: $(objpfx)tst-audit24bmod2.so
 # against libc.so.
 $(objpfx)tst-audit24bmod1.so: $(objpfx)tst-audit24bmod1.os
 	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod1.os \
-	  -Wl,-z,now
+	  -Wl,-z,now $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod1)
 $(objpfx)tst-audit24bmod2.so: $(objpfx)tst-audit24bmod2.os
-	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os
+	$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os \
+	  $(memory-seal-ldflag)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
 CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod2)
@@ -2678,7 +2682,7 @@ $(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
 # artificial, large note in tst-big-note-lib.o and invalidate the
 # test.
 $(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o
-	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $<
+	$(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $(memory-seal-ldflag) $<
 
 $(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so
 
@@ -2985,6 +2989,7 @@ $(objpfx)tst-ro-dynamic-mod.so: $(objpfx)tst-ro-dynamic-mod.os \
   tst-ro-dynamic-mod.map
 	$(LINK.o) -nostdlib -nostartfiles -shared -o $@ \
 		$(dt-relr-ldflag) \
+		$(memory-seal-ldflag) \
 		-Wl,--script=tst-ro-dynamic-mod.map \
 		$(objpfx)tst-ro-dynamic-mod.os
 
@@ -3075,6 +3080,7 @@ $(objpfx)tst-relr2: $(objpfx)tst-relr-mod2.so
 $(objpfx)tst-relr-mod2.so: $(objpfx)tst-relr-mod2.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3085,6 +3091,7 @@ $(objpfx)tst-relr3: $(objpfx)tst-relr-mod3a.so
 $(objpfx)tst-relr-mod3b.so: $(objpfx)tst-relr-mod3b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3093,6 +3100,7 @@ $(objpfx)tst-relr-mod3a.so: $(objpfx)tst-relr-mod3a.os \
   $(objpfx)tst-relr-mod3b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
+	$(memory-seal-ldflag) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
 	mv -f $@.new $@
@@ -3103,6 +3111,7 @@ $(objpfx)tst-relr4: $(objpfx)tst-relr-mod4a.so
 $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
 	$(LDFLAGS-soname-fname) \
+	$(memory-seal-ldflag) \
 	-Wl,--version-script=tst-relr-mod4b.map \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@@ -3111,6 +3120,7 @@ $(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
 $(objpfx)tst-relr-mod4a.so: $(objpfx)tst-relr-mod4a.os \
   $(objpfx)tst-relr-mod4b.so
 	$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
+	$(memory-seal-ldflag) \
 	$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
 	-shared -o $@.new $(filter-out $(map-file),$^)
 	$(call after-link,$@.new)
@@ -3232,7 +3242,7 @@ $(objpfx)tst-env-setuid-static.out: $(objpfx)tst-sonamemove-runmod1.so
 # We do not use $(link-test-modules-rpath-link) since the object has no
 # DT_NEEDED.
 $(objpfx)tst-nodeps1-mod.so: $(objpfx)tst-nodeps1-mod.os
-	$(LINK.o) -nostartfiles -nostdlib -shared -o $@ $^
+	$(LINK.o) -nostartfiles -nostdlib -shared $(memory-seal-ldflag) -o $@ $^
 tst-nodeps1.so-no-z-defs = yes
 # Link libc.so before the test module with the IFUNC resolver reference.
 LDFLAGS-tst-nodeps1 = $(common-objpfx)libc.so $(objpfx)tst-nodeps1-mod.so
@@ -3384,6 +3394,7 @@ CFLAGS-tst-nolink-libc.c += $(no-stack-protector) \
  -fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables
 $(objpfx)tst-nolink-libc-1: $(objpfx)tst-nolink-libc.o $(objpfx)ld.so
 	$(LINK.o) -nostdlib -nostartfiles -o $@ $< \
+	  $(memory-seal-ldflag) \
 	  -Wl,--dynamic-linker=$(objpfx)ld.so,--no-as-needed $(objpfx)ld.so
 $(objpfx)tst-nolink-libc-1.out: $(objpfx)tst-nolink-libc-1 $(objpfx)ld.so
 	$< > $@ 2>&1; $(evaluate-test)
diff --git a/manual/install.texi b/manual/install.texi
index d001e8220b..7056768885 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -280,6 +280,11 @@ C++ libraries.
 Disable using @code{scv} instruction for syscalls. All syscalls will use
 @code{sc} instead, even if the kernel supports @code{scv}. PowerPC only.
 
+@item --disable-default-memory-seal
+Don't build glibc libraries, programs, and the testsuite with
+memory sealing support (@code{GNU_PROPERTY_MEMORY_SEAL}).  By default,
+memory sealing is enabled if toolchain suports the linker option.
+
 @item --build=@var{build-system}
 @itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and