search

shadowsocks / v2ray-plugin

A SIP003 plugin based on v2ray
MIT License
2.69k stars 573 forks source link

the release build should apply security hardening options #210

Open OwenChia opened 4 years ago

OwenChia commented 4 years ago

using checksec we can found out that the default build doesn't have RELRO/CANARY/PIE,

checksec --file=v2ray-plugin_linux_amd64
RELRO           STACK CANARY      NX            PIE             SELFRANDO             RPATH      RUNPATH        Symbols         FORTIFYFortified       Fortifiable     FILE
No RELRO        No canary found   NX enabled    No PIE          No Selfrando          No RPATH   No RUNPATH   No Symbols          No  00               v2ray-plugin_linux_amd64

there is a qucik way to fix it, just pass the following flags to go build[^1]:

export GOFLAGS='-buildmode=pie'
export CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2"
export CGO_LDFLAGS="-Wl,-z,relro,-z,now"

and then we'll get:

RELRO           STACK CANARY      NX            PIE             SELFRANDO             RPATH      RUNPATH        Symbols         FORTIFYFortified       Fortifiable     FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No Selfrando          No RPATH   No RUNPATH   18108) Symbols      Yes 22               v2ray-plugin

FYI: [1] https://wiki.archlinux.org/index.php/Security_package_guidelines#Golang

gedec-coin-one commented 4 years ago

or we can use:

go build -v \
  -buildmode=pie \
  -trimpath \
  -mod=readonly \
  -modcacherw \
  -ldflags "-X main.VERSION=$(git describe --tags) -s -w -extldflags '-Wl,-z,relro,-z,now'"