39 lines
1.6 KiB
Diff
39 lines
1.6 KiB
Diff
From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001
|
|
From: zjw <zhongjiawei1@huawei.com>
|
|
Date: Mon, 20 Jun 2022 20:08:24 +0800
|
|
Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options
|
|
|
|
---
|
|
Makefile | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/Makefile b/Makefile
|
|
index 49a90e6..2bc5dd5 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE
|
|
mkdir -p $(BEP_DIR)
|
|
@echo "$(WHALE) $@${BINARY_SUFFIX}"
|
|
CGO_ENABLED=1 \
|
|
- CGO_CFLAGS="-fstack-protector-strong" \
|
|
- CGO_CPPFLAGS="-fstack-protector-strong" \
|
|
+ CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
|
|
+ CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
|
|
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
|
|
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
|
|
go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$<
|
|
@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE
|
|
bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
|
|
@echo "$(WHALE) bin/containerd-shim"
|
|
CGO_ENABLED=1 \
|
|
- CGO_CFLAGS="-fstack-protector-strong -fPIE" \
|
|
- CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
|
|
+ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
|
|
+ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
|
|
CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
|
|
CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
|
|
go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
|
|
--
|
|
2.30.0
|
|
|