From 6b2ebccd8c36923196d4b1b249a9cead4ff8ad15 Mon Sep 17 00:00:00 2001
From: kwb0523 <kwb0523@163.com>
Date: Thu, 1 Aug 2024 09:31:47 +0800
Subject: [PATCH] add some secure compilation options

Signed-off-by: kwb0523 <kwb0523@163.com>
---
 Makefile                                | 7 ++++---
 api/v2-c/Makefile                       | 4 +++-
 bpf/deserialization_to_bpf_map/Makefile | 4 +++-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 70942ac8f..4a716e028 100644
--- a/Makefile
+++ b/Makefile
@@ -36,6 +36,7 @@ LDFLAGS := "-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=w
 			-X kmesh.net/kmesh/pkg/version.gitCommit=$(GIT_COMMIT_HASH) \
 			-X kmesh.net/kmesh/pkg/version.gitTreeState=$(GIT_TREESTATE) \
 			-X kmesh.net/kmesh/pkg/version.buildDate=$(BUILD_DATE)"
+EXTLDFLAGS := '-fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack'
 
 # target
 APPS1 := kmesh-daemon
@@ -79,7 +80,7 @@ all:
 	
 	$(call printlog, BUILD, $(APPS1))
 	$(QUIET) (export PKG_CONFIG_PATH=$(PKG_CONFIG_PATH):$(ROOT_DIR)mk; \
-		$(GO) build -ldflags $(LDFLAGS) -tags $(ENHANCED_KERNEL) -o $(APPS1) $(GOFLAGS) ./daemon/main.go)
+		$(GO) build -ldflags $(LDFLAGS) -ldflags "-linkmode=external -extldflags $(EXTLDFLAGS)" -tags $(ENHANCED_KERNEL) -o $(APPS1) $(GOFLAGS) ./daemon/main.go)
 	
 	$(call printlog, BUILD, "kernel")
 	$(QUIET) make -C kernel/ko_src
@@ -89,7 +90,7 @@ all:
 
 	$(call printlog, BUILD, $(APPS3))
 	$(QUIET) (export PKG_CONFIG_PATH=$(PKG_CONFIG_PATH):$(ROOT_DIR)mk; \
-		$(GO) build -ldflags $(LDFLAGS) -tags $(ENHANCED_KERNEL) -o $(APPS3) $(GOFLAGS) ./cniplugin/main.go)
+		$(GO) build -ldflags $(LDFLAGS) -ldflags "-linkmode=external -extldflags $(EXTLDFLAGS)" -tags $(ENHANCED_KERNEL) -o $(APPS3) $(GOFLAGS) ./cniplugin/main.go)
 
 .PHONY: gen-proto
 gen-proto:
@@ -186,4 +187,4 @@ clean:
 
 	$(QUIET) if docker ps -a -q -f name=kmesh-build | grep -q .; then \
 		docker rm -f kmesh-build; \
-	fi
\ No newline at end of file
+	fi
diff --git a/api/v2-c/Makefile b/api/v2-c/Makefile
index 9144a0766..dd7159f9d 100644
--- a/api/v2-c/Makefile
+++ b/api/v2-c/Makefile
@@ -24,9 +24,11 @@ INCLUDES = -I./
 
 # compiler flags
 LDFLAGS := -lprotobuf-c
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
 CFLAGS := $(EXTRA_CFLAGS) $(EXTRA_CDEFINE)
-CFLAGS += -fstack-protector -fPIC
+CFLAGS += -fstack-protector-strong -fPIC
 CFLAGS += -Wall -Werror
+CFLAGS += -D_FORTIFY_SOURCE=2 -O2
 
 SOURCES = $(wildcard */*.c)
 OBJECTS = $(subst .c,.o,$(SOURCES))
diff --git a/bpf/deserialization_to_bpf_map/Makefile b/bpf/deserialization_to_bpf_map/Makefile
index 80ab24e04..4924687f8 100644
--- a/bpf/deserialization_to_bpf_map/Makefile
+++ b/bpf/deserialization_to_bpf_map/Makefile
@@ -10,9 +10,11 @@ INCLUDES =
 
 # compiler flags
 LDFLAGS := -lbpf -lboundscheck
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
 CFLAGS := $(EXTRA_CFLAGS) $(EXTRA_CDEFINE)
-CFLAGS += -fstack-protector -fPIC
+CFLAGS += -fstack-protector-strong -fPIC
 CFLAGS += -Wall -Werror
+CFLAGS += -D_FORTIFY_SOURCE=2 -O2
 
 SOURCES = $(wildcard *.c)
 OBJECTS = $(subst .c,.o,$(SOURCES))