Merge pull request #358 from jpwhitemn/enable-security-hardening

feat: enable security hardening
edgexfoundry · Apr 10, 2022 · 4d191eb · 4d191eb
2 parents f2e2f8a + ec9d6ac
commit 4d191eb
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -3,6 +3,12 @@
 GO=CGO_ENABLED=0 GO111MODULE=on go
 GOCGO=GCO_ENABLED=1 GO111MODULE=on go
 
+# see https://shibumi.dev/posts/hardening-executables
+CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CGO_CFLAGS="-O2 -pipe -fno-plt"
+CGO_CXXFLAGS="-O2 -pipe -fno-plt"
+CGO_LDFLAGS="-Wl,-O1,–sort-common,–as-needed,-z,relro,-z,now"
+
 MICROSERVICES=cmd/device-mqtt
 
 ARCH=$(shell uname -m)
@@ -16,15 +22,16 @@ DOCKERS=docker_device_mqtt_go
 VERSION=$(shell cat ./VERSION 2>/dev/null || echo 0.0.0)
 GIT_SHA=$(shell git rev-parse HEAD)
 
-GOFLAGS=-ldflags "-X github.com/edgexfoundry/device-mqtt-go.Version=$(VERSION)"
+GOFLAGS=-ldflags "-X github.com/edgexfoundry/device-mqtt-go.Version=$(VERSION)" -trimpath -mod=readonly
+CGOFLAGS=-ldflags "-linkmode=external -X github.com/edgexfoundry/device-mqtt-go.Version=$(VERSION)" -trimpath -mod=readonly -buildmode=pie
 
 tidy:
 	go mod tidy -compat=1.17
 
 build: $(MICROSERVICES)
 
 cmd/device-mqtt:
-	$(GOCGO) build $(GOFLAGS) -o $@ ./cmd
+	$(GOCGO) build $(CGOFLAGS) -o $@ ./cmd
 
 unittest:
 	$(GOCGO) test ./... -coverprofile=coverage.out ./...