krane-static: harden CFLAGS used to build krane-static

bottlerocket-os · Jan 6, 2025 · 52c4d21 · 52c4d21
1 parent 6f0facc
commit 52c4d21
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tools/krane/build.rs b/tools/krane/build.rs
@@ -3,6 +3,10 @@ use std::path::PathBuf;
 use std::process::Command;
 
 const REQUIRED_TOOLS: &[&str] = &["go"];
+const CFLAGS: &str = concat!(
+    "-O2 -g -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,",
+    "-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-clash-protection -fno-omit-frame-pointer",
+);
 
 fn main() {
     let script_dir = env::current_dir().unwrap();
@@ -16,10 +20,13 @@ fn main() {
     let build_output_loc = out_dir.join("libkrane.a");
     let mut build_command = Command::new("go");
 
+    let curr_cflags = env::var("CFLAGS").unwrap_or_default();
+
     build_command
         .env("GOOS", get_goos())
         .env("GOARCH", get_goarch())
         .env("CGO_ENABLED", "1")
+        .env("CFLAGS", format!("{curr_cflags} {CFLAGS}"))
         .arg("build")
         .arg("-buildmode=c-archive")
         .arg("-o")