containerd/patch/0092-containerd-add-CGO-sercurity-build-options.patch

From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001
From: zjw <zhongjiawei1@huawei.com>
Date: Mon, 20 Jun 2022 20:08:24 +0800
Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options

---
 Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 49a90e6..2bc5dd5 100644
--- a/Makefile
+++ b/Makefile
@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE
 	mkdir -p $(BEP_DIR)
 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
 	CGO_ENABLED=1 \
-	CGO_CFLAGS="-fstack-protector-strong" \
-	CGO_CPPFLAGS="-fstack-protector-strong" \
+	CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE
 bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
 	@echo "$(WHALE) bin/containerd-shim"
 	CGO_ENABLED=1 \
-	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
+	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 	go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
-- 
2.30.0
containerd: bugfix and add CGO security build option (cherry picked from commit eb136438cf63fae5754c31920a6bf8afaeded135) 2022-09-22 19:16:02 +08:00			`From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001`
			`From: zjw <zhongjiawei1@huawei.com>`
			`Date: Mon, 20 Jun 2022 20:08:24 +0800`
			`Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options`

			`---`
			`Makefile \| 8 ++++----`
			`1 file changed, 4 insertions(+), 4 deletions(-)`

			`diff --git a/Makefile b/Makefile`
			`index 49a90e6..2bc5dd5 100644`
			`--- a/Makefile`
			`+++ b/Makefile`
			`@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE`
			`mkdir -p $(BEP_DIR)`
			`@echo "$(WHALE) $@${BINARY_SUFFIX}"`
			`CGO_ENABLED=1 \`
			`- CGO_CFLAGS="-fstack-protector-strong" \`
			`- CGO_CPPFLAGS="-fstack-protector-strong" \`
			`+ CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \`
			`+ CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \`
			`CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \`
			`CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \`
			`go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<`
			`@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE`
			`bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220`
			`@echo "$(WHALE) bin/containerd-shim"`
			`CGO_ENABLED=1 \`
			`- CGO_CFLAGS="-fstack-protector-strong -fPIE" \`
			`- CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \`
			`+ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \`
			`+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \`
			`CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \`
			`CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \`
			`go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim`
			`--`
			`2.30.0`