lxcfs-tools/0001-lxcfs-tools-build-security-option.patch

From 5a612ba26670f44197906df518b772bf116c0efe Mon Sep 17 00:00:00 2001
From: zhangsong <zhangsong34@huawei.com>
Date: Fri, 29 Jan 2021 14:50:19 +0800
Subject: [PATCH] lxcfs-tools: build security option

Signed-off-by: zhangsong <zhangsong34@huawei.com>
---
 Makefile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 3eb27a3..a597ff4 100644
--- a/Makefile
+++ b/Makefile
@@ -20,11 +20,15 @@ TAGS="cgo static_build"
 BEP_DIR=/tmp/lxcfs-tools-build-bep
 BEP_FLAGS=-tmpdir=/tmp/lxcfs-tools-build-bep
 
-GO_LDFLAGS="-w -buildid=IdByiSula -extldflags -static $(BEP_FLAGS) -X main.gitCommit=${COMMIT} -X main.version=${VERSION}"
+GO_LDFLAGS="-buildid=IdByiSula $(BEP_FLAGS) -extldflags=-static -extldflags=-Wl,-z,relro,-z,now -X main.gitCommit=${COMMIT} -X main.version=${VERSION}"
 DEF_GOPATH=${GOPATH}
 ifneq ($(GOPATH), )
 CUS_GOPATH=${GOPATH}:${PWD}
-ENV = GOPATH=${CUS_GOPATH} CGO_ENABLED=1
+ENV = GOPATH=${CUS_GOPATH} \
+      CGO_ENABLED=1 \
+      CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+      CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+      CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack"
 else
 ENV = CGO_ENABLED=1
 endif
@@ -35,12 +39,12 @@ dep:
 
 toolkit:  $(SOURCES) | $(DEPS_LINK)
 	@echo "Making lxcfs-tools..."
-	${ENV} go build -mod=vendor -tags ${TAGS} -ldflags ${GO_LDFLAGS} -o build/lxcfs-tools .
+	${ENV} go build -buildmode=pie -mod=vendor -tags ${TAGS} -ldflags ${GO_LDFLAGS} -o build/lxcfs-tools .
 	@echo "Done!"
 
 lxcfs-hook: $(SOURCES) | $(DEPS_LINK)
 	@echo "Making lxcfs-hook..."
-	${ENV} go build -mod=vendor -tags ${TAGS} -ldflags ${GO_LDFLAGS} -o build/lxcfs-hook ./hooks/lxcfs-hook
+	${ENV} go build -buildmode=pie -mod=vendor -tags ${TAGS} -ldflags ${GO_LDFLAGS} -o build/lxcfs-hook ./hooks/lxcfs-hook
 	@echo "Done!"
 
 clean:
-- 
1.8.3.1