Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Jul 2024 09:38:05 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 280238] security/crowdsec-firewall-bouncer: not WITH_PIE safe
Message-ID:  <bug-280238-7788-jso1Ed8RQA@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-280238-7788@https.bugs.freebsd.org/bugzilla/>
References:  <bug-280238-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280238

--- Comment #2 from Alexander Leidinger <netchild@FreeBSD.org> ---
(In reply to marco from comment #1)
PIE_UNSAFE means it is not building when WITH_PIE is set. It is not meant to
mean that it is unsafe to run it with PIE, in case this is your concern.

The article itself is what I found when googling for PIE and golang, so it =
may
not be 100% matching, but at least it gives an idea that it is not trivial =
to
get it working with golang.

I stumped upon this because I want to try crowdsec and I compile every port
with WITH_PIE (and others) by default.

The idea of compiling with PIE is to make ASLR work (
 * https://man.freebsd.org/cgi/man.cgi?query=3Dmitigations
 * https://mropert.github.io/2018/02/02/pic_pie_sanitizers/
).

The problem when compiling the firewall-bouncer with PIE is that a dependen=
cy
is not compiled with PIE.
As I build all ports with PIE and have not excluded any golang port, and the
go.mk has some kind of pie support, my first assumption would be that it is
something inside the port itself which doesn't inherit the --buildmode=3Dpi=
e. I
haven't done something with golang at all, so my workaround for my systems =
is
to add PIE_UNSAFE to the port (via setting it in make.conf for this particu=
lar
port).

I could add the PIE_UNSAFE variable in the port Makefile now, or you could =
add
it with the next update, or you could have a look why the firewall-bouncer
doesn't build correctly when PIE is enabled. Do you have any preference in =
this
regard or other ideas?

Bye,
Alexander.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280238-7788-jso1Ed8RQA>