# HG changeset patch
# User Franz Glasner <fzglas.hg@dom66.de>
# Date 1758019052 -7200
# Node ID 5ab937c03c2741b1266fca9b261bc4b58dee8ef6
# Parent  b5f06508363a7a45830f56a1748f2311baede69b
Apply full RELRO to all generated binaries.

Also strip the generated binaries.

diff -r b5f06508363a -r 5ab937c03c27 mupdf-source/Makerules
--- a/mupdf-source/Makerules	Mon Sep 15 16:16:51 2025 +0200
+++ b/mupdf-source/Makerules	Tue Sep 16 12:37:32 2025 +0200
@@ -152,13 +152,13 @@
   LDFLAGS += -g
 else ifeq ($(build),release)
   CFLAGS += -pipe -O2 -DNDEBUG
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s,-z,relro,-z,now
 else ifeq ($(build),small)
   CFLAGS += -pipe -Os -DNDEBUG
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s,-z,relro,-z,now
 else ifeq ($(build),valgrind)
   CFLAGS += -pipe -O2 -DNDEBUG -DPACIFY_VALGRIND
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s,-z,relro,-z,now
 else ifeq ($(build),sanitize)
   CFLAGS += -pipe -g $(SANITIZE_FLAGS)
   LDFLAGS += -g $(SANITIZE_FLAGS)
@@ -173,7 +173,7 @@
   LIBS += -lgcov
 else ifeq ($(build),native)
   CFLAGS += -pipe -O2 -DNDEBUG -march=native
-  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s
+  LDFLAGS += $(LDREMOVEUNREACH) -Wl,-s,-z,relro,-z,now
 else ifeq ($(build),memento)
   CFLAGS += -pipe -g -DMEMENTO -DMEMENTO_MUPDF_HACKS
   LDFLAGS += -g -rdynamic
diff -r b5f06508363a -r 5ab937c03c27 mupdf-source/scripts/jlib.py
--- a/mupdf-source/scripts/jlib.py	Mon Sep 15 16:16:51 2025 +0200
+++ b/mupdf-source/scripts/jlib.py	Tue Sep 16 12:37:32 2025 +0200
@@ -2303,5 +2303,10 @@
             ret += ' -Wl,-rpath,@loader_path/.'
         else:
             ret += " -Wl,-rpath,'$ORIGIN',-z,origin"
+    # FreeBSD
+    #   Full RELRO
+    ret += ' -Wl,-z,relro,-z,now'
+    #   Strip
+    ret += ' -Wl,-s'
     #log('{sos=} {ld_origin=} {ret=}')
     return ret.strip()
diff -r b5f06508363a -r 5ab937c03c27 setup.py
--- a/setup.py	Mon Sep 15 16:16:51 2025 +0200
+++ b/setup.py	Tue Sep 16 12:37:32 2025 +0200
@@ -1214,6 +1214,12 @@
     if pyodide:
         compiler_extra += f' {pyodide_flags}'
         linker_extra += f' {pyodide_flags}'
+
+    # FreeBSD:
+    #   Full RELRO
+    linker_extra += ' -Wl,-z,relro,-z,now'
+    #   Strip
+    linker_extra += ' -Wl,-s'
         
     return compiler_extra, linker_extra, includes, defines, optimise, debug, libpaths, libs, libraries,