File pie.patch of Package snapd

From 09a3cc7aad771621d849d792281538658331f550 Mon Sep 17 00:00:00 2001
Message-ID: <09a3cc7aad771621d849d792281538658331f550.1725538054.git.maciej.borzecki@canonical.com>
From: Maciej Borzecki <maciej.borzecki@canonical.com>
Date: Thu, 5 Sep 2024 14:06:50 +0200
Subject: [PATCH] Build position-independent binaries per hardening policy

This is only supported on some architectures and only wth recent glibc (where rcrt1.o is present).

Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---
 cmd/Makefile.am    | 4 ++--
 packaging/snapd.mk | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/Makefile.am b/cmd/Makefile.am
index b316a8733ca7ce6c552955fb051bbb3a2dad7685..89c85b3485958d90a2df1c25aa59d5ef361c6514 100644
--- a/cmd/Makefile.am
+++ b/cmd/Makefile.am
@@ -523,7 +523,7 @@ snap_gdb_shim_snap_gdb_shim_SOURCES = \
 	snap-gdb-shim/snap-gdb-shim.c
 
 snap_gdb_shim_snap_gdb_shim_LDADD = libsnap-confine-private.a
-snap_gdb_shim_snap_gdb_shim_LDFLAGS = -static
+snap_gdb_shim_snap_gdb_shim_LDFLAGS = -static-pie
 
 ##
 ## snap-gdbserver-shim
@@ -535,7 +535,7 @@ snap_gdb_shim_snap_gdbserver_shim_SOURCES = \
 	snap-gdb-shim/snap-gdbserver-shim.c
 
 snap_gdb_shim_snap_gdbserver_shim_LDADD = libsnap-confine-private.a
-snap_gdb_shim_snap_gdbserver_shim_LDFLAGS = -static
+snap_gdb_shim_snap_gdbserver_shim_LDFLAGS = -static-pie
 
 ##
 ## snapd-generator
diff --git a/packaging/snapd.mk b/packaging/snapd.mk
index a9e90dc1900c0074f69ff7003f06505541950d8f..ee8f79d766a658074ae62f83c55af5f54a70dade 100644
--- a/packaging/snapd.mk
+++ b/packaging/snapd.mk
@@ -83,9 +83,9 @@ $(builddir)/snap $(builddir)/snap-seccomp $(builddir)/snapd-apparmor:
 $(builddir)/snap-update-ns $(builddir)/snap-exec $(builddir)/snapctl:
 	# Explicit request to use an external linker, otherwise extldflags may not be
 	# used
-	go build -o $@ -buildmode=default -mod=vendor \
+	go build -o $@ -buildmode=pie -mod=vendor \
 		$(if $(GO_TAGS),-tags "$(GO_TAGS)") \
-		-ldflags '-linkmode external -extldflags "-static" $(EXTRA_GO_LDFLAGS)' \
+		-ldflags '-linkmode external -extldflags "-static-pie" $(EXTRA_GO_LDFLAGS)' \
 		$(EXTRA_GO_BUILD_FLAGS) \
 		$(import_path)/cmd/$(notdir $@)
 
-- 
2.46.0

openSUSE Build Service is sponsored by