Opensnitchd 1.5.8 doesn't build with go version >= 1.19 unless -fcf-protection is set (Gentoo overlay)

[kcning]

Hello,

I packaged opensnitch for a Gentoo overlay, and I noticed that opensnitch wouldn't build with go version >= 1.19. I'm quite certain it's not a distribution issue (EDIT: ok maybe not...).

$ git clone https://github.com/evilsocket/opensnitch.git
$ git checkout 1.5.0
$ cd opensnitch/daemon/

$ make
go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead.
go: upgraded golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271 => v0.0.0-20211209124913-491a49abca63
go: upgraded golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 => v0.0.0-20211205182925-97ca703d548d
# github.com/evilsocket/opensnitch/daemon/netfilter
cgo-gcc-prolog: In function '_cgo_aceefaf8538a_Cfunc_stop_reading_packets':
cgo-gcc-prolog:451:49: warning: unused variable '_cgo_a' [-Wunused-variable]
# github.com/iovisor/gobpf/elf
cgo: cannot load DWARF output from $WORK/b085//_cgo_.o: zlib: invalid header
make: *** [Makefile:16: opensnitchd] Error 1

$ go version
go version go1.20 linux/amd64

As a temporary workaround, if I modify the opensnitch/daemon/Makefile as follows

opensnitchd: $(SRC)
        @go get
        CGO_CPPFLAGS="${CPPFLAGS} -fcf-protection" \
        CGO_CFLAGS="${CFLAGS} -fcf-protection" \
        CGO_CXXFLAGS="${CXXFLAGS} -fcf-protection" \
        go build -o opensnitchd .

then the build works.

For now I'm not sure what caused the issue, as I'm not a GO guru. It appears to me there is a breaking change in Go 1.19 release.

And last but not the least: thank you for this nice software!

[gustavo-iniguez-goya]

Hi @kcning !

cgo: cannot load DWARF output from $WORK/b085//cgo.o: zlib: invalid header

Based on previous reports, it looks like a problem of your system (not your distro):

#820

cgo: cannot load DWARF output from $WORK/b084//cgo.o: zlib: invalid header

I just built the package with go 1.20.1 on Debian and compiled fine, so it doesn't seem an incompatibility with go (I've been using go1.19 for months, and the official packages on Debian are built with go1.19).

Maybe some hardening feature of Gentoo?

[kcning]

Thank you for the quick reply. It might be some hardening flags indeed. I'll look into it further.

[onny]

Also affecting opensnitch package in nixos-unstable recently NixOS/nixpkgs#216388
Not sure how to fix it yet :(

[gustavo-iniguez-goya]

It seems to be a problem with Go >= 1.19 and -fstack-protector. With Go <= 1.18 compiled fine, and apparently they'll try to fix it on next releases.

golang/go#54422

golang/go#54422 (comment)

With -fstack-protector (zlib: invalid header error)

With -fno-stack-protector (no error)

[gustavo-iniguez-goya]

It seems that Go has been adding/removing -fno-stack-protector by default: https://github.com/golang/go/commits/master/src/runtime/cgo/cgo.go

https://github.com/golang/go/blob/9f834a559c9ed6cdf883e29b36e21e5f956df74f/src/runtime/cgo/cgo.go#L26-L28

// Use -fno-stack-protector to avoid problems locating the
// proper support functions. See issues #52919, #54313, #58385.
#cgo CFLAGS: -Wall -Werror -fno-stack-protector

We also debugged this issue here: #768

[gustavo-iniguez-goya]

closing this issue. Either use the mentioned option, or use another golang version.