Set noexecstack on snapcraft builds

We're currently failing the auoptmated security review on snapcraft because the lotus binary has the execstack value set: https://linux.die.net/man/8/execstack This commit passes the appropriate flags to ld to disable the execstack flag when building the binaries for snapcraft: https://linux.die.net/man/1/ld We may want to consider disabling this as part of the main build. Research seems to indicate that allow the executable stack can lead to security issues, but I am not enough of a security expert to know for sure what the right call here is: https://f0rm2l1n.github.io/2022-04-02-What-is-happended-to-execstack/
2022-12-13 17:56:28 -08:00 · 2022-12-13 17:56:28 -08:00 · ab611199fd
commit ab611199fd
parent f3830b60ae
1 changed files with 1 additions and 1 deletions
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -36,7 +36,7 @@ parts:
      - libhwloc15
      - ocl-icd-libopencl1
    override-build: |
-      LDFLAGS="" make lotus lotus-miner lotus-worker
+      LDFLAGS="-z noexecstack" make lotus lotus-miner lotus-worker
      cp lotus lotus-miner lotus-worker $SNAPCRAFT_PART_INSTALL
      cp scripts/snap-lotus-entrypoint.sh $SNAPCRAFT_PART_INSTALL