[Bug 280238] security/crowdsec-firewall-bouncer: not WITH_PIE safe

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280238

--- Comment #2 from Alexander Leidinger <netchild@FreeBSD.org> ---
(In reply to marco from comment #1)
PIE_UNSAFE means it is not building when WITH_PIE is set. It is not meant to
mean that it is unsafe to run it with PIE, in case this is your concern.

The article itself is what I found when googling for PIE and golang, so it may
not be 100% matching, but at least it gives an idea that it is not trivial to
get it working with golang.

I stumped upon this because I want to try crowdsec and I compile every port
with WITH_PIE (and others) by default.

The idea of compiling with PIE is to make ASLR work (
 * https://man.freebsd.org/cgi/man.cgi?query=mitigations
 * https://mropert.github.io/2018/02/02/pic_pie_sanitizers/
).

The problem when compiling the firewall-bouncer with PIE is that a dependency
is not compiled with PIE.
As I build all ports with PIE and have not excluded any golang port, and the
go.mk has some kind of pie support, my first assumption would be that it is
something inside the port itself which doesn't inherit the --buildmode=pie. I
haven't done something with golang at all, so my workaround for my systems is
to add PIE_UNSAFE to the port (via setting it in make.conf for this particular
port).

I could add the PIE_UNSAFE variable in the port Makefile now, or you could add
it with the next update, or you could have a look why the firewall-bouncer
doesn't build correctly when PIE is enabled. Do you have any preference in this
regard or other ideas?

Bye,
Alexander.

-- 
You are receiving this mail because:
You are the assignee for the bug.