From fa56b1bc1f531ed8085377a9d0fe0a5012d1ff6e Mon Sep 17 00:00:00 2001
From: Marc-Philippe Fuller <marc-philippe.fuller@intel.com>
Date: Thu, 28 Apr 2022 14:19:30 -0700
Subject: [PATCH] fix: updated makefile for security hardening (#78)

Signed-off-by: Marc-Philippe Fuller <marc-philippe.fuller@intel.com>
---
 Makefile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f9e8c29e..980dda95 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,13 @@
 .PHONY: build test unittest lint clean prepare update docker
 
 GO=CGO_ENABLED=1 GO111MODULE=on go
+
+# see https://shibumi.dev/posts/hardening-executables
+CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2"
+CGO_CFLAGS="-O2 -pipe -fno-plt"
+CGO_CXXFLAGS="-O2 -pipe -fno-plt"
+CGO_LDFLAGS="-Wl,-O1,–sort-common,–as-needed,-z,relro,-z,now"
+
 ARCH=$(shell uname -m)
 
 MICROSERVICES=cmd/device-rfid-llrp
@@ -11,6 +18,9 @@ VERSION=$(shell cat ./VERSION 2>/dev/null || echo 0.0.0)
 
 GIT_SHA=$(shell git rev-parse HEAD)
 GOFLAGS=-ldflags "-X github.com/edgexfoundry/device-rfid-llrp.Version=$(VERSION)"
+CGOFLAGS=-ldflags "-linkmode=external -X github.com/edgexfoundry/app-functions-sdk-go/v2/internal.SDKVersion=$(SDKVERSION) \
+					-X github.com/edgexfoundry/app-functions-sdk-go/v2/internal.ApplicationVersion=$(APPVERSION) \
+					-X edgexfoundry/app-rfid-llrp-inventory.Version=$(APPVERSION)" -trimpath -mod=readonly -buildmode=pie
 
 build: $(MICROSERVICES)
 
@@ -18,7 +28,7 @@ tidy:
 	go mod tidy
 
 cmd/device-rfid-llrp:
-	$(GO) build $(GOFLAGS) -o $@ ./cmd
+	$(GO) build $(CGOFLAGS) -o $@ ./cmd
 
 unittest:
 	$(GO) test ./... -coverprofile=coverage.out ./...