From 69b1e01166fb92bd0aa700360465eb3abefaa24c Mon Sep 17 00:00:00 2001 From: TaylorKanper Date: Sat, 2 Apr 2022 10:07:42 +0800 Subject: [PATCH 1/2] Added some secure compilation options, especially PIE and RELRO. Signed-off-by: TaylorKanper --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 677d63b7..e7a63a4a 100644 --- a/Makefile +++ b/Makefile @@ -30,7 +30,7 @@ WHALE = "+" TESTFLAGS_RACE= GOFILES=$(shell find . -type f -name '*.go') GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",) -GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)' +GO_LDFLAGS=-ldflags '-extldflags "-Wl,-z,now" -s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)' BINARIES=$(addprefix bin/,$(COMMANDS)) @@ -88,14 +88,14 @@ FORCE: # Build a binary from a cmd. bin/%: cmd/% FORCE @echo "$(WHALE) $@${BINARY_SUFFIX}" - @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< + @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} ./$< binaries: $(BINARIES) ## build binaries @echo "$(WHALE) $@" build: @echo "$(WHALE) $@" - @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} ${GO_TAGS} $(PACKAGES) + @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} $(PACKAGES) clean: ## clean up binaries @echo "$(WHALE) $@" From 18b2b9f45557c7c90ace9fae059ecb5c6603bb42 Mon Sep 17 00:00:00 2001 From: TaylorKanper Date: Sat, 2 Apr 2022 17:58:47 +0800 Subject: [PATCH 2/2] Added some secure compilation options PIE Signed-off-by: TaylorKanper --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index e7a63a4a..732823c2 100644 --- a/Makefile +++ b/Makefile @@ -88,14 +88,14 @@ FORCE: # Build a binary from a cmd. bin/%: cmd/% FORCE @echo "$(WHALE) $@${BINARY_SUFFIX}" - @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} ./$< + @go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} ./$< binaries: $(BINARIES) ## build binaries @echo "$(WHALE) $@" build: @echo "$(WHALE) $@" - @go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} $(PACKAGES) + @go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} $(PACKAGES) clean: ## clean up binaries @echo "$(WHALE) $@"