[lxc-devel] [lxd/master] [Makefiles] Whitelist ldflags in libcap pkgconfig

[Foxboron on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1077 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200118/76273a55/attachment.bin>
-------------- next part --------------
From 7e3df061d39b676bb1cfe903ccc704f4a1cf8c6e Mon Sep 17 00:00:00 2001
From: Morten Linderud <morten at linderud.pw>
Date: Sun, 19 Jan 2020 00:13:13 +0100
Subject: [PATCH] [Makefiles] Whitelist ldflags in libcap pkgconfig

libcap 1.29 was extended to support go, in turn adding some extensions
to the distributed pkgconfig files [1]. By default for security reasons,
the cgo compiler only allows -D, -I, and -l however allows us to extend
this by adding a regex filter to CGO_ALLOW_LDFLAGS [2].

It should be noted that libcap implement the same in their build systems
[3], but use a more relaxed ALLOW regex. Restrict ours as it probably
shouldn't be too wide.

Fixes: #6727

[1]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1a61e6f395f2d2784365920872c14d9f69ff8cf1
[2]: https://golang.org/cmd/cgo/
[3]: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=b2b267ef1c83f1f3d3105a4bb84f8bebbc130dec

Signed-off-by: Morten Linderud <morten at linderud.pw>
---
 Makefile      |  2 ++
 doc/index.md  |  1 +
 ldflags.patch | 11 +++++++++++
 lxd/cgo.go    |  2 +-
 4 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ldflags.patch

diff --git a/Makefile b/Makefile
index 9c99a60a1b..3ff398dbbc 100644
--- a/Makefile
+++ b/Makefile
@@ -105,6 +105,8 @@ deps:
 	@echo "export CGO_CFLAGS=\"-I$(GOPATH)/deps/sqlite/ -I$(GOPATH)/deps/libco/ -I$(GOPATH)/deps/raft/include/ -I$(GOPATH)/deps/dqlite/include/\""
 	@echo "export CGO_LDFLAGS=\"-L$(GOPATH)/deps/sqlite/.libs/ -L$(GOPATH)/deps/libco/ -L$(GOPATH)/deps/raft/.libs -L$(GOPATH)/deps/dqlite/.libs/\""
 	@echo "export LD_LIBRARY_PATH=\"$(GOPATH)/deps/sqlite/.libs/:$(GOPATH)/deps/libco/:$(GOPATH)/deps/raft/.libs/:$(GOPATH)/deps/dqlite/.libs/\""
+	@echo "export CGO_LDFLAGS_ALLOW=\"-Wl,-wrap,pthread_create\""
+
 
 .PHONY: update
 update:
diff --git a/doc/index.md b/doc/index.md
index d4ba7b809a..29eae1ab54 100644
--- a/doc/index.md
+++ b/doc/index.md
@@ -119,6 +119,7 @@ make deps
 export CGO_CFLAGS="${CGO_CFLAGS} -I${GOPATH}/deps/sqlite/ -I${GOPATH}/deps/dqlite/include/ -I${GOPATH}/deps/raft/include/ -I${GOPATH}/deps/libco/"
 export CGO_LDFLAGS="${CGO_LDFLAGS} -L${GOPATH}/deps/sqlite/.libs/ -L${GOPATH}/deps/dqlite/.libs/ -L${GOPATH}/deps/raft/.libs -L${GOPATH}/deps/libco/"
 export LD_LIBRARY_PATH="${GOPATH}/deps/sqlite/.libs/:${GOPATH}/deps/dqlite/.libs/:${GOPATH}/deps/raft/.libs:${GOPATH}/deps/libco/:${LD_LIBRARY_PATH}"
+export CGO_LDFLAGS_ALLOW="-Wl,-wrap,pthread_create"
 make
 ```
 
diff --git a/ldflags.patch b/ldflags.patch
new file mode 100644
index 0000000000..fef1a71ed4
--- /dev/null
+++ b/ldflags.patch
@@ -0,0 +1,11 @@
+diff --git a/lxd/cgo.go b/lxd/cgo.go
+index c8c175a93..625e75b0b 100644
+--- a/lxd/cgo.go
++++ b/lxd/cgo.go
+@@ -9,5 +9,5 @@ package main
+ // #cgo CFLAGS: -Werror=return-type -Wendif-labels -Werror=overflow
+ // #cgo CFLAGS: -Wnested-externs -fexceptions
+ // #cgo pkg-config: lxc
+-// #cgo pkg-config: libcap
++// #cgo LDFLAGS: -lpsx -Wl,-wrap,pthread_create
+ import "C"
diff --git a/lxd/cgo.go b/lxd/cgo.go
index c8c175a93e..625e75b0b5 100644
--- a/lxd/cgo.go
+++ b/lxd/cgo.go
@@ -9,5 +9,5 @@ package main
 // #cgo CFLAGS: -Werror=return-type -Wendif-labels -Werror=overflow
 // #cgo CFLAGS: -Wnested-externs -fexceptions
 // #cgo pkg-config: lxc
-// #cgo pkg-config: libcap
+// #cgo LDFLAGS: -L/lib64 -lcap -lpsx -lpthread -Wl,-wrap,pthread_create
 import "C"