From fb499f406340e142e6996b05772b5661938fefa5 Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Mon, 22 Feb 2021 15:09:53 +0800
Subject: [PATCH] containerd: add CGO security build options

Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index 96c2370..102db9f 100644
--- a/Makefile
+++ b/Makefile
@@ -171,6 +171,11 @@ FORCE:
 bin/%: cmd/% FORCE
 	mkdir -p $(BEP_DIR)
 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
+	CGO_ENABLED=1 \
+	CGO_CFLAGS="-fstack-protector-strong" \
+	CGO_CPPFLAGS="-fstack-protector-strong" \
+	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
 	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
 
 bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
-- 
1.8.3.1