Hi, We in Alpine Linux would like to ship Go so that it defaults to PIE buildmode. We acknowledge that Go generally produces safer code, but we still consider it to be viable protection when linking in C (or other) code to Go applications. If the external code has security issues, it is an additional security measure to have main binary PIE built as without that the ASLR is not fully effective. It is also long standing Alpine Linux policy to ship PIE builds if possible.
For Go 1.7 we just used the following patch: https://git.alpinelinux.org/cgit/aports/plain/community/go/default-buildmode-pie.patch and it seems to work. We are in progress to upgrade to Go 1.8.1, but the same patch no longer works. During the bootstrap build it fails with: > ##### Building go_bootstrap for host, linux/amd64. > ... > go/parser > go/doc > go/build > cmd/go > 2017/04/28 05:52:33 cannot handle R_TLS_IE (sym > sync/atomic.(*Value).Store) when linking internally > go tool dist: FAILED: > /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/link -o > /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/go_bootstrap > /tmp/go-tool-dist-538310359/cmd/go/_go_.a: exit status 1 > This seems to be related to using the internal linker. Apparently it is tried regardless of PIE mode. Any suggestions how to fix this (other than the obvious use regular exe build mode)? I also tried the following patch, but it did not help: --- go.orig/src/cmd/link/internal/ld/config.go 2017-04-07 16:54:08.000000000 +0000 +++ go/src/cmd/link/internal/ld/config.go 2017-04-27 13:44:30.878077639 +0000 @@ -195,12 +195,8 @@ case BuildmodeCShared: return true, "buildmode=c-shared" case BuildmodePIE: - switch obj.GOOS + "/" + obj.GOARCH { - case "linux/amd64": - default: - // Internal linking does not support TLS_IE. - return true, "buildmode=pie" - } + // Internal linking does not support TLS_IE. + return true, "buildmode=pie" case BuildmodePlugin: return true, "buildmode=plugin" case BuildmodeShared: I am wondering how the default buildmode could be changed to PIE natively. Perhaps a build time configuration (environment) option for the default build mode could be added? Thanks, Timo -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.