-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: Set security flags for release builds #6087
Conversation
f3261c9
to
8fc885c
Compare
We probably need a build of all targets to confirm this works ok on everything. |
@patrick-stephens I executed the package tests in my fork. Unfortunately, the timeout was reached before the tests completed. However, all executed tests were successful. |
@niedbalski Could you please review this PR? Thanks |
@Garfield96 thanks, we're both on PTO at the moment but I'll catch up with @niedbalski once he's back. |
Hi @patrick-stephens and @niedbalski, |
@Garfield96 I appreciate your time - unfortunately @niedbalski is off for an extended period. |
Hi @niedbalski, |
@Garfield96 can you update the merge commit title (and ideally rebase)? |
Signed-off-by: Christian Menges <christian.menges@outlook.com>
Signed-off-by: Christian Menges <christian.menges@outlook.com>
22c06d2
to
9ecaf47
Compare
@patrick-stephens I rebased the PR. The test failures are unrelated to the change and are also present in several other recently opened PRs. |
Signed-off-by: Christian Menges <christian.menges@outlook.com>
3926aa7
to
96b2b59
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@leonardo-albertovich I think we were both ok with this?
@leonardo-albertovich Can this PR get merged? |
Is this the cause of the following in my
|
@rossigee I'm not sure what you're asking there - this PR is not merged so any changes in it are not in official releases. |
@patrick-stephens - sorry I wasn't clear. I saw this message while reviewing the logs on one of my hosts, and was alarmed. I wasn't sure if my 'fluent-bit' binary (official release build v2.1.9, deployed as a K8S DS) had somehow been tampered with, but on further investigation I came across this PR which addresses certain 'official release build' compile-time issues, one of which appears to be related to preventing the executable stack problem. I wasn't able to find anyone else reporting the same issue by Googling the error message, and |
@rossigee I assume that this PR will remove the warning from your logs. |
@patrick-stephens I'm sorry for asking again, but can this PR be merged soon? I think a lot of users would benefit from it and as mentioned by @rossigee and #7315, some platforms even issue warnings for the current fluent-bit binary. |
@Garfield96 as I understand it I think we're happy with this - I'm not the best person to review the compilation flags themselves however @leonardo-albertovich indicated he was so I'll ping @edsiper to see if we can get it merged. |
Hi @leonardo-albertovich and @edsiper, |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
added to Milestone v3.1.0 |
Signed-off-by: Christian Menges christian.menges@outlook.com
Set security flags for release builds using gcc or clang:
-Wl,-z,relro,-z,now
Set Global Offset Table (GOT) to read-only. In theory, this increases startup times, but I couldn't observe a performance degradation.-fstack-protector
Protect against stack manipulation.-D_FORTIFY_SOURCE=1
Replace certain functions with more secure alternatives. With level 1, most of the added security checks are optimized away.Fixes #7315
Enter
[N/A]
in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.