Merge pull request #658 from kwb0523/main

add some secure compilation options
kmesh-net · Aug 2, 2024 · 084f519 · 084f519
2 parents 9c10c28 + 6b2ebcc
commit 084f519
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -36,6 +36,7 @@ LDFLAGS := "-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=w
 			-X kmesh.net/kmesh/pkg/version.gitCommit=$(GIT_COMMIT_HASH) \
 			-X kmesh.net/kmesh/pkg/version.gitTreeState=$(GIT_TREESTATE) \
 			-X kmesh.net/kmesh/pkg/version.buildDate=$(BUILD_DATE)"
+EXTLDFLAGS := '-fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack'
 
 # target
 APPS1 := kmesh-daemon
@@ -79,7 +80,7 @@ all:
 
 	$(call printlog, BUILD, $(APPS1))
 	$(QUIET) (export PKG_CONFIG_PATH=$(PKG_CONFIG_PATH):$(ROOT_DIR)mk; \
-		$(GO) build -ldflags $(LDFLAGS) -tags $(ENHANCED_KERNEL) -o $(APPS1) $(GOFLAGS) ./daemon/main.go)
+		$(GO) build -ldflags $(LDFLAGS) -ldflags "-linkmode=external -extldflags $(EXTLDFLAGS)" -tags $(ENHANCED_KERNEL) -o $(APPS1) $(GOFLAGS) ./daemon/main.go)
 
 	$(call printlog, BUILD, "kernel")
 	$(QUIET) make -C kernel/ko_src
@@ -89,7 +90,7 @@ all:
 
 	$(call printlog, BUILD, $(APPS3))
 	$(QUIET) (export PKG_CONFIG_PATH=$(PKG_CONFIG_PATH):$(ROOT_DIR)mk; \
-		$(GO) build -ldflags $(LDFLAGS) -tags $(ENHANCED_KERNEL) -o $(APPS3) $(GOFLAGS) ./cniplugin/main.go)
+		$(GO) build -ldflags $(LDFLAGS) -ldflags "-linkmode=external -extldflags $(EXTLDFLAGS)" -tags $(ENHANCED_KERNEL) -o $(APPS3) $(GOFLAGS) ./cniplugin/main.go)
 
 .PHONY: gen-proto
 gen-proto:
@@ -186,4 +187,4 @@ clean:
 
 	$(QUIET) if docker ps -a -q -f name=kmesh-build | grep -q .; then \
 		docker rm -f kmesh-build; \
-	fi
+	fi
diff --git a/api/v2-c/Makefile b/api/v2-c/Makefile
@@ -24,9 +24,11 @@ INCLUDES = -I./
 
 # compiler flags
 LDFLAGS := -lprotobuf-c
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
 CFLAGS := $(EXTRA_CFLAGS) $(EXTRA_CDEFINE)
-CFLAGS += -fstack-protector -fPIC
+CFLAGS += -fstack-protector-strong -fPIC
 CFLAGS += -Wall -Werror
+CFLAGS += -D_FORTIFY_SOURCE=2 -O2
 
 SOURCES = $(wildcard */*.c)
 OBJECTS = $(subst .c,.o,$(SOURCES))

diff --git a/bpf/deserialization_to_bpf_map/Makefile b/bpf/deserialization_to_bpf_map/Makefile
@@ -10,9 +10,11 @@ INCLUDES =
 
 # compiler flags
 LDFLAGS := -lbpf -lboundscheck
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
 CFLAGS := $(EXTRA_CFLAGS) $(EXTRA_CDEFINE)
-CFLAGS += -fstack-protector -fPIC
+CFLAGS += -fstack-protector-strong -fPIC
 CFLAGS += -Wall -Werror
+CFLAGS += -D_FORTIFY_SOURCE=2 -O2
 
 SOURCES = $(wildcard *.c)
 OBJECTS = $(subst .c,.o,$(SOURCES))