Opened 6 months ago

Last modified 6 months ago

#29694 new defect

Build Go binaries with `-buildmode=pie"?

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm
Cc: dcf, yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I was looking a bit how the obfs4proxy binary gets build for Android today and it turns out that Briar etc. use -buildmode=pie. Currently our Linux binaries have no PIE and no RELRO (but Stack Canaries, NX etc. enabled). Trying with -buildmode=pie results in "PIE enabled" but somewhat surprisingly our stack canaries are gone (but we get partial RELRO).

So, generally, should we start using PIE mode (and -extldflags=-pie where needed)? Or are we good with what we have?

Child Tickets

Change History (3)

comment:1 Changed 6 months ago by gk

Cc: dcf yawning added

Adding folks who might have insight/opinions here.

comment:2 Changed 6 months ago by gk

(It goes without saying that this is only relevant for platforms where this flag is actually supported, i.e. not for Windows binaries.)

comment:3 Changed 6 months ago by dcf

I don't have an opinion on this.

Note: See TracTickets for help on using tickets.