Hi,

We in Alpine Linux would like to ship Go so that it defaults to PIE 
buildmode. We acknowledge that Go generally produces safer code, but we 
still consider it to be viable protection when linking in C (or other) code 
to Go applications. If the external code has security issues, it is an 
additional security measure to have main binary PIE built as without that 
the ASLR is not fully effective. It is also long standing Alpine Linux 
policy to ship PIE builds if possible.

For Go 1.7 we just used the following patch: 
https://git.alpinelinux.org/cgit/aports/plain/community/go/default-buildmode-pie.patch
 
and it seems to work.

We are in progress to upgrade to Go 1.8.1, but the same patch no longer 
works. During the bootstrap build it fails with:

> ##### Building go_bootstrap for host, linux/amd64.
> ...
> go/parser
> go/doc
> go/build
> cmd/go
> 2017/04/28 05:52:33 cannot handle R_TLS_IE (sym 
> sync/atomic.(*Value).Store) when linking internally
> go tool dist: FAILED: 
> /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/link -o 
> /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/go_bootstrap 
> /tmp/go-tool-dist-538310359/cmd/go/_go_.a: exit status 1
>

This seems to be related to using the internal linker. Apparently it is 
tried regardless of PIE mode. Any suggestions how to fix this (other than 
the obvious use regular exe build mode)?

I also tried the following patch, but it did not help:

--- go.orig/src/cmd/link/internal/ld/config.go    2017-04-07 
16:54:08.000000000 +0000
+++ go/src/cmd/link/internal/ld/config.go    2017-04-27 13:44:30.878077639 
+0000
@@ -195,12 +195,8 @@
     case BuildmodeCShared:
         return true, "buildmode=c-shared"
     case BuildmodePIE:
-        switch obj.GOOS + "/" + obj.GOARCH {
-        case "linux/amd64":
-        default:
-            // Internal linking does not support TLS_IE.
-            return true, "buildmode=pie"
-        }
+        // Internal linking does not support TLS_IE.
+        return true, "buildmode=pie"
     case BuildmodePlugin:
         return true, "buildmode=plugin"
     case BuildmodeShared:

I am wondering how the default buildmode could be changed to PIE natively. 
Perhaps a build time configuration (environment) option for the default 
build mode could be added?

Thanks,
Timo

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to