From 1606587477d0302e050d0728abccfc1a51248bda Mon Sep 17 00:00:00 2001 From: Jim Wang Date: Tue, 8 Mar 2022 12:43:03 -0700 Subject: [PATCH] feat(security): Enable security-hardened go binaries for cgo flags Add hardening CGO flags for go binaries Fixes: #3880 Signed-off-by: Jim Wang --- Makefile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 047e74e387..6d4f5c18e9 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,12 @@ .PHONY: build clean unittest hadolint lint test docker run GO=CGO_ENABLED=0 GO111MODULE=on go + +# see https://shibumi.dev/posts/hardening-executables +CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2" +CGO_CFLAGS="-O2 -pipe -fno-plt" +CGO_CXXFLAGS="-O2 -pipe -fno-plt" +CGO_LDFLAGS="-Wl,-O1,–sort-common,–as-needed,-z,relro,-z,now" GOCGO=CGO_ENABLED=1 GO111MODULE=on go DOCKERS= \ @@ -42,7 +48,8 @@ MICROSERVICES= \ VERSION=$(shell cat ./VERSION 2>/dev/null || echo 0.0.0) DOCKER_TAG=$(VERSION)-dev -GOFLAGS=-ldflags "-X github.com/edgexfoundry/edgex-go.Version=$(VERSION)" +GOFLAGS=-ldflags "-X github.com/edgexfoundry/edgex-go.Version=$(VERSION)" -trimpath -mod=readonly +CGOFLAGS=-ldflags "-linkmode=external -X github.com/edgexfoundry/edgex-go.Version=$(VERSION)" -trimpath -mod=readonly -buildmode=pie GOTESTFLAGS?=-race GIT_SHA=$(shell git rev-parse HEAD) @@ -58,7 +65,7 @@ cmd/core-metadata/core-metadata: $(GO) build $(GOFLAGS) -o $@ ./cmd/core-metadata cmd/core-data/core-data: - $(GOCGO) build $(GOFLAGS) -o $@ ./cmd/core-data + $(GOCGO) build $(CGOFLAGS) -o $@ ./cmd/core-data cmd/core-command/core-command: $(GO) build $(GOFLAGS) -o $@ ./cmd/core-command