Hi, the port fails to build when WITH_PIE=yes is set. I suggest to add PIE_UNSAFE=yes to the port Makefile (or fix the build with WITH_PIE, but the easy stuff of adding --buildmode=pie is already in Mk/USES/go.mk and it seems to be not trivial to get this to work in the generic case -- https://dubo-dubon-duponey.medium.com/a-beginners-guide-to-cross-compiling-static-cgo-pie-binaries-golang-1-16-792eea92d5aa). Bye, Alexander.
Hi Alexander, thanks for reporting the issue. I think PIE_UNSAFE could do because this binary does not require CGO and is not concerned by the article you link -- maybe the variable name is not 100% descriptive of its semantics. On the other hand, the main crowdsec application does build with pie and it's mainly linked with the re2 engine and sqlite. It's just not built as static on freebsd, so again, I don't think the article applies to that.
(In reply to marco from comment #1) PIE_UNSAFE means it is not building when WITH_PIE is set. It is not meant to mean that it is unsafe to run it with PIE, in case this is your concern. The article itself is what I found when googling for PIE and golang, so it may not be 100% matching, but at least it gives an idea that it is not trivial to get it working with golang. I stumped upon this because I want to try crowdsec and I compile every port with WITH_PIE (and others) by default. The idea of compiling with PIE is to make ASLR work ( * https://man.freebsd.org/cgi/man.cgi?query=mitigations * https://mropert.github.io/2018/02/02/pic_pie_sanitizers/ ). The problem when compiling the firewall-bouncer with PIE is that a dependency is not compiled with PIE. As I build all ports with PIE and have not excluded any golang port, and the go.mk has some kind of pie support, my first assumption would be that it is something inside the port itself which doesn't inherit the --buildmode=pie. I haven't done something with golang at all, so my workaround for my systems is to add PIE_UNSAFE to the port (via setting it in make.conf for this particular port). I could add the PIE_UNSAFE variable in the port Makefile now, or you could add it with the next update, or you could have a look why the firewall-bouncer doesn't build correctly when PIE is enabled. Do you have any preference in this regard or other ideas? Bye, Alexander.
Hi, thanks for the clarification and sorry for coming back only when I have a new version to publish, I don't check bugzilla as often as I should. The issue was 1 - CGO is disabled in the port so it's a deal breaker already 2 - if CGO is enabled, it links to libc which is not PIC so it fails again I propose to just build the bouncer dynamically in this case. https://github.com/crowdsecurity/packaging-freebsd/blob/main/security/crowdsec-firewall-bouncer/Makefile From my test, the build is now static without WITH_PIE and dynamic with it.
(In reply to marco from comment #3) If you submit a patch for the FreeBSD port, I can commit it.
Thanks! I have a patch here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281533 and I also released a new version of crowdsec https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281454
Will be fixed when Bug 281533 is committed.