Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Enable hardening in produced telegraf binaries #15187

Closed
53c70r opened this issue Apr 18, 2024 · 3 comments
Closed

feat: Enable hardening in produced telegraf binaries #15187

53c70r opened this issue Apr 18, 2024 · 3 comments
Labels
bug unexpected problem or unintended behavior help wanted Request for community participation, code, contribution size/m 2-4 day effort

Comments

@53c70r
Copy link

53c70r commented Apr 18, 2024
edited
Loading

Relevant telegraf.conf

No config needed.

Logs from Telegraf

No logs needed.

System info

Rocky Linux - 9.3 (Blue Onyx)

Docker

No response

Steps to reproduce

checksec --proc=telegraf
 COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
telegraf   1824 No RELRO        No symbol table found   No Seccomp       NX enabled    No PIE                  No

checksec --file=/usr/bin/telegraf
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols	  No	0		0		/usr/bin/telegraf

Expected behavior

HARDENING

Actual behavior

NO HARDENING

Additional info

No response
@53c70r 53c70r added the bug unexpected problem or unintended behavior label Apr 18, 2024
@powersj
Copy link
Contributor

powersj commented Apr 18, 2024

Hi,

Some of the hardening options require the use of cgo. Telegraf builds are static binaries and do not use cgo today. This is not something we would change.

Any changes would be done in a new minor release and not a bug fix release as well.

@jdstrand pointed out that PIE has potential for performance impact depending on arch (see https://wiki.ubuntu.com/Security/Features#Built_as_PIE). We would probably want this enable only in amd64, arm64, s390x, riscv64, ppc64el builds. Additionally, we would want to do some testing of sorts to ensure we do not greatly regress performance, particularly in the parsers.

The other changes would generally require the use of CGO to pass flags to the C compiler.

As a result, I think the change required then is to add GOFLAGS="-buildmode=pie" to the specific architectures listed above. That would enable PIE and RELRO would report as partial.

@powersj powersj added help wanted Request for community participation, code, contribution size/m 2-4 day effort labels Apr 18, 2024
@powersj powersj changed the title hardening disabled on all builds feat: Enable hardening in produced telegraf binaries Apr 18, 2024
powersj added a commit to powersj/telegraf that referenced this issue Apr 18, 2024
@powersj
feat: Enable PIE hardening for certain architechtures
3264d75 
fixes: influxdata#15187
@powersj powersj mentioned this issue Apr 18, 2024
Closed
1 task
powersj added a commit to powersj/telegraf that referenced this issue Apr 18, 2024
@powersj
feat: Enable PIE hardening for certain architechtures
98f385a 
fixes: influxdata#15187
@powersj
Copy link
Contributor

powersj commented Apr 18, 2024
edited
Loading

-buildmode=pie requires external (cgo) linking, but cgo is not enabled

Apparently, PIE requires cgo as well... in which case I'm not sure we would enable any of these. This led me to golang/go#64875 which seems to have a been a recent change and this list of supported PIE OS+Arch combos.

@powersj
Copy link
Contributor

powersj commented Apr 19, 2024

I am going to close as this as something we won't change. Because we do not use cgo and do not wish to turn it on, then it doesn't make sense to enable anything further. If I am mistaken then feel free to comment or even put up a PR with a fix/change.

Thanks!

@powersj powersj closed this as not planned Won't fix, can't repro, duplicate, stale Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior help wanted Request for community participation, code, contribution size/m 2-4 day effort
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Enable PIE hardening for certain architechtures powersj/telegraf
2 participants
@powersj @53c70r