The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6730
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === libcap 1.29 was extended to support go, in turn adding some extensions to the distributed pkgconfig files [1]. By default for security reasons, the cgo compiler only allows -D, -I, and -l however allows us to extend this by adding a regex filter to CGO_ALLOW_LDFLAGS [2]. It should be noted that libcap implement the same in their build systems [3], but use a more relaxed ALLOW regex. Restrict ours as it probably shouldn't be too wide. Fixes: #6727 [1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1 [2]: https://golang.org/cmd/cgo/ [3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec Signed-off-by: Morten Linderud <mor...@linderud.pw>
From 7e3df061d39b676bb1cfe903ccc704f4a1cf8c6e Mon Sep 17 00:00:00 2001 From: Morten Linderud <mor...@linderud.pw> Date: Sun, 19 Jan 2020 00:13:13 +0100 Subject: [PATCH] [Makefiles] Whitelist ldflags in libcap pkgconfig libcap 1.29 was extended to support go, in turn adding some extensions to the distributed pkgconfig files [1]. By default for security reasons, the cgo compiler only allows -D, -I, and -l however allows us to extend this by adding a regex filter to CGO_ALLOW_LDFLAGS [2]. It should be noted that libcap implement the same in their build systems [3], but use a more relaxed ALLOW regex. Restrict ours as it probably shouldn't be too wide. Fixes: #6727 [1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1 [2]: https://golang.org/cmd/cgo/ [3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec Signed-off-by: Morten Linderud <mor...@linderud.pw> --- Makefile | 2 ++ doc/index.md | 1 + ldflags.patch | 11 +++++++++++ lxd/cgo.go | 2 +- 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ldflags.patch diff --git a/Makefile b/Makefile index 9c99a60a1b..3ff398dbbc 100644 --- a/Makefile +++ b/Makefile @@ -105,6 +105,8 @@ deps: @echo "export CGO_CFLAGS=\"-I$(GOPATH)/deps/sqlite/ -I$(GOPATH)/deps/libco/ -I$(GOPATH)/deps/raft/include/ -I$(GOPATH)/deps/dqlite/include/\"" @echo "export CGO_LDFLAGS=\"-L$(GOPATH)/deps/sqlite/.libs/ -L$(GOPATH)/deps/libco/ -L$(GOPATH)/deps/raft/.libs -L$(GOPATH)/deps/dqlite/.libs/\"" @echo "export LD_LIBRARY_PATH=\"$(GOPATH)/deps/sqlite/.libs/:$(GOPATH)/deps/libco/:$(GOPATH)/deps/raft/.libs/:$(GOPATH)/deps/dqlite/.libs/\"" + @echo "export CGO_LDFLAGS_ALLOW=\"-Wl,-wrap,pthread_create\"" + .PHONY: update update: diff --git a/doc/index.md b/doc/index.md index d4ba7b809a..29eae1ab54 100644 --- a/doc/index.md +++ b/doc/index.md @@ -119,6 +119,7 @@ make deps export CGO_CFLAGS="${CGO_CFLAGS} -I${GOPATH}/deps/sqlite/ -I${GOPATH}/deps/dqlite/include/ -I${GOPATH}/deps/raft/include/ -I${GOPATH}/deps/libco/" export CGO_LDFLAGS="${CGO_LDFLAGS} -L${GOPATH}/deps/sqlite/.libs/ -L${GOPATH}/deps/dqlite/.libs/ -L${GOPATH}/deps/raft/.libs -L${GOPATH}/deps/libco/" export LD_LIBRARY_PATH="${GOPATH}/deps/sqlite/.libs/:${GOPATH}/deps/dqlite/.libs/:${GOPATH}/deps/raft/.libs:${GOPATH}/deps/libco/:${LD_LIBRARY_PATH}" +export CGO_LDFLAGS_ALLOW="-Wl,-wrap,pthread_create" make ``` diff --git a/ldflags.patch b/ldflags.patch new file mode 100644 index 0000000000..fef1a71ed4 --- /dev/null +++ b/ldflags.patch @@ -0,0 +1,11 @@ +diff --git a/lxd/cgo.go b/lxd/cgo.go +index c8c175a93..625e75b0b 100644 +--- a/lxd/cgo.go ++++ b/lxd/cgo.go +@@ -9,5 +9,5 @@ package main + // #cgo CFLAGS: -Werror=return-type -Wendif-labels -Werror=overflow + // #cgo CFLAGS: -Wnested-externs -fexceptions + // #cgo pkg-config: lxc +-// #cgo pkg-config: libcap ++// #cgo LDFLAGS: -lpsx -Wl,-wrap,pthread_create + import "C" diff --git a/lxd/cgo.go b/lxd/cgo.go index c8c175a93e..625e75b0b5 100644 --- a/lxd/cgo.go +++ b/lxd/cgo.go @@ -9,5 +9,5 @@ package main // #cgo CFLAGS: -Werror=return-type -Wendif-labels -Werror=overflow // #cgo CFLAGS: -Wnested-externs -fexceptions // #cgo pkg-config: lxc -// #cgo pkg-config: libcap +// #cgo LDFLAGS: -L/lib64 -lcap -lpsx -lpthread -Wl,-wrap,pthread_create import "C"
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
