From ab611199fd79cc371af1dacdf6c5187420624576 Mon Sep 17 00:00:00 2001
From: Ian Davis <jungziege@gmail.com>
Date: Tue, 13 Dec 2022 17:56:28 -0800
Subject: [PATCH] Set noexecstack on snapcraft builds

We're currently failing the auoptmated security review on snapcraft
because the lotus binary has the execstack value set:
  https://linux.die.net/man/8/execstack

This commit passes the appropriate flags to ld to disable the execstack
flag when building the binaries for snapcraft:
  https://linux.die.net/man/1/ld

We may want to consider disabling this as part of the main build.
Research seems to indicate that allow the executable stack can lead to
security issues, but I am not enough of a security expert to know for
sure what the right call here is:
  https://f0rm2l1n.github.io/2022-04-02-What-is-happended-to-execstack/
---
 snap/snapcraft.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index 8c7323a2b..2b9862808 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -36,7 +36,7 @@ parts:
       - libhwloc15
       - ocl-icd-libopencl1
     override-build: |
-      LDFLAGS="" make lotus lotus-miner lotus-worker
+      LDFLAGS="-z noexecstack" make lotus lotus-miner lotus-worker
       cp lotus lotus-miner lotus-worker $SNAPCRAFT_PART_INSTALL
       cp scripts/snap-lotus-entrypoint.sh $SNAPCRAFT_PART_INSTALL