From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001 From: zjw Date: Mon, 20 Jun 2022 20:08:24 +0800 Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 49a90e6..2bc5dd5 100644 --- a/Makefile +++ b/Makefile @@ -172,8 +172,8 @@ bin/%: cmd/% FORCE mkdir -p $(BEP_DIR) @echo "$(WHALE) $@${BINARY_SUFFIX}" CGO_ENABLED=1 \ - CGO_CFLAGS="-fstack-protector-strong" \ - CGO_CPPFLAGS="-fstack-protector-strong" \ + CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \ + CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< @@ -181,8 +181,8 @@ bin/%: cmd/% FORCE bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 @echo "$(WHALE) bin/containerd-shim" CGO_ENABLED=1 \ - CGO_CFLAGS="-fstack-protector-strong -fPIE" \ - CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ + CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim -- 2.30.0