From 552d942fce1dbd6ad55df41c5b57d9c909d6bc6e Mon Sep 17 00:00:00 2001 From: zhangkun Date: Thu, 18 Dec 2025 10:37:25 +0800 Subject: [PATCH] fix: update linker flags for enhanced security hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Modified GOBUILD_OPTIONS in debian/rules to include additional security hardening flags 2. Changed from "-pie" only to "-Wl,-z,relro,-z,now,-pie" for comprehensive security 3. This change applies to all architectures except mips64el 4. The new flags enable full RELRO (Relocation Read-Only) and BIND_NOW for immediate binding Log: Improved binary security with additional hardening flags Influence: 1. Test that the package builds successfully on all supported architectures except mips64el 2. Verify that the resulting binaries have proper security hardening enabled 3. Check that the application functionality remains unchanged with the new linker flags 4. Test on architectures where the change applies (non-mips64el) to ensure no regressions 5. Verify that mips64el builds continue to use the original flags without changes fix: 更新链接器标志以增强安全加固 1. 修改 debian/rules 中的 GOBUILD_OPTIONS 以包含额外的安全加固标志 2. 从仅使用 "-pie" 改为 "-Wl,-z,relro,-z,now,-pie" 以实现全面的安全保护 3. 此更改适用于除 mips64el 之外的所有架构 4. 新标志启用完整的 RELRO(重定位只读)和 BIND_NOW 以实现立即绑定 Log: 通过额外的加固标志提高了二进制文件的安全性 Influence: 1. 测试软件包在除 mips64el 之外的所有支持架构上是否成功构建 2. 验证生成的二进制文件是否启用了适当的安全加固 3. 检查应用程序功能在使用新链接器标志后是否保持不变 4. 在应用更改的架构(非 mips64el)上进行测试,确保没有回归问题 5. 验证 mips64el 架构的构建是否继续使用原始标志而不受影响 PMS: BUG-339571 --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index b21ba15..82023ce 100755 --- a/debian/rules +++ b/debian/rules @@ -8,7 +8,7 @@ ifeq ($(DEB_BUILD_ARCH),sw_64) endif ifneq ($(DEB_BUILD_ARCH), mips64el) - export GOBUILD_OPTIONS=-ldflags '-linkmode=external -extldflags "-pie"' + export GOBUILD_OPTIONS=-ldflags '-linkmode=external -extldflags "-Wl,-z,relro,-z,now,-pie"' endif %: