5 files changed, 19 insertions, 0 deletions

diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index 2dfac241122a..5c1a38ce7ccd 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -69,6 +69,10 @@ TAGS+=		package=${PACKAGE:Uruntime}
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index 30255dd9b4dd..5a5bf811ddf9 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -69,6 +69,7 @@ __DEFAULT_YES_OPTIONS = \
     WARNS
 
 __DEFAULT_NO_OPTIONS = \
+    BIND_NOW \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
index b82a89d42adc..2b151c0af7b0 100644
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -34,6 +34,10 @@ PROG=	${PROG_CXX}
 MK_DEBUG_FILES=	no
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline
diff --git a/tools/build/options/WITHOUT_BIND_NOW b/tools/build/options/WITHOUT_BIND_NOW
new file mode 100644
index 000000000000..f35a7653aa3b
--- /dev/null
+++ b/tools/build/options/WITHOUT_BIND_NOW
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Do not build all binaries with the
+.Dv DF_BIND_NOW
+flag set.
+Run-time relocation processing will be performed on demand.
diff --git a/tools/build/options/WITH_BIND_NOW b/tools/build/options/WITH_BIND_NOW
new file mode 100644
index 000000000000..02e4c37352b4
--- /dev/null
+++ b/tools/build/options/WITH_BIND_NOW
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Build all binaries with the
+.Dv DF_BIND_NOW
+flag set to indicate that the run-time loader should perform all relocation
+processing at process startup rather than on demand.