search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.79k stars 503 forks source link

Opensnitchd 1.5.8 doesn't build with go version >= 1.19 unless -fcf-protection is set (Gentoo overlay) #851

Closed kcning closed 1 year ago

kcning commented 1 year ago

Hello,

I packaged opensnitch for a Gentoo overlay, and I noticed that opensnitch wouldn't build with go version >= 1.19. I'm quite certain it's not a distribution issue (EDIT: ok maybe not...).

$ git clone https://github.com/evilsocket/opensnitch.git
$ git checkout 1.5.0
$ cd opensnitch/daemon/

$ make
go: module github.com/golang/protobuf is deprecated: Use the "google.golang.org/protobuf" module instead.
go: upgraded golang.org/x/net v0.0.0-20191028085509-fe3aa8a45271 => v0.0.0-20211209124913-491a49abca63
go: upgraded golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 => v0.0.0-20211205182925-97ca703d548d
# github.com/evilsocket/opensnitch/daemon/netfilter
cgo-gcc-prolog: In function '_cgo_aceefaf8538a_Cfunc_stop_reading_packets':
cgo-gcc-prolog:451:49: warning: unused variable '_cgo_a' [-Wunused-variable]
# github.com/iovisor/gobpf/elf
cgo: cannot load DWARF output from $WORK/b085//_cgo_.o: zlib: invalid header
make: *** [Makefile:16: opensnitchd] Error 1

$ go version
go version go1.20 linux/amd64

As a temporary workaround, if I modify the opensnitch/daemon/Makefile as follows

opensnitchd: $(SRC)
        @go get
        CGO_CPPFLAGS="${CPPFLAGS} -fcf-protection" \
        CGO_CFLAGS="${CFLAGS} -fcf-protection" \
        CGO_CXXFLAGS="${CXXFLAGS} -fcf-protection" \
        go build -o opensnitchd .

then the build works.

For now I'm not sure what caused the issue, as I'm not a GO guru. It appears to me there is a breaking change in Go 1.19 release.

And last but not the least: thank you for this nice software!

gustavo-iniguez-goya commented 1 year ago

Hi @kcning !

cgo: cannot load DWARF output from $WORK/b085//cgo.o: zlib: invalid header

Based on previous reports, it looks like a problem of your system (not your distro):

https://github.com/evilsocket/opensnitch/issues/820

cgo: cannot load DWARF output from $WORK/b084//cgo.o: zlib: invalid header

I just built the package with go 1.20.1 on Debian and compiled fine, so it doesn't seem an incompatibility with go (I've been using go1.19 for months, and the official packages on Debian are built with go1.19).

Maybe some hardening feature of Gentoo?

kcning commented 1 year ago

Thank you for the quick reply. It might be some hardening flags indeed. I'll look into it further.

onny commented 1 year ago

Also affecting opensnitch package in nixos-unstable recently https://github.com/NixOS/nixpkgs/issues/216388 Not sure how to fix it yet :(

gustavo-iniguez-goya commented 1 year ago

It seems to be a problem with Go >= 1.19 and -fstack-protector. With Go <= 1.18 compiled fine, and apparently they'll try to fix it on next releases.

https://github.com/golang/go/issues/54422

https://github.com/golang/go/issues/54422#issuecomment-1224310014

With -fstack-protector (zlib: invalid header error)

With -fno-stack-protector (no error)
gustavo-iniguez-goya commented 1 year ago

It seems that Go has been adding/removing -fno-stack-protector by default: https://github.com/golang/go/commits/master/src/runtime/cgo/cgo.go

https://github.com/golang/go/blob/9f834a559c9ed6cdf883e29b36e21e5f956df74f/src/runtime/cgo/cgo.go#L26-L28

// Use -fno-stack-protector to avoid problems locating the
// proper support functions. See issues #52919, #54313, #58385.
#cgo CFLAGS: -Wall -Werror -fno-stack-protector

We also debugged this issue here: https://github.com/evilsocket/opensnitch/discussions/768

gustavo-iniguez-goya commented 1 year ago

closing this issue. Either use the mentioned option, or use another golang version.