From e7f633177772ef93ba6aff328a65d268ad0d85e2 Mon Sep 17 00:00:00 2001
From: jikui <jikui2@huawei.com>
Date: Thu, 18 Mar 2021 16:11:22 +0800
Subject: [PATCH] kata-containers: modify make flags

reason: modify make flags

Signed-off-by: jikui <jikui2@huawei.com>
(cherry picked from commit 1dfa4db6775e026019d984d4d7bc76c0315318be)
---
 .../0019-kata-agent-modify-make-flags.patch   | 29 ++++++++++++
 agent/series.conf                             |  1 +
 kata-containers.spec                          |  9 +++-
 .../0002-kata-proxy-modify-make-flags.patch   | 29 ++++++++++++
 proxy/series.conf                             |  1 +
 .../0068-kata-runtime-modify-make-flags.patch | 45 +++++++++++++++++++
 runtime/series.conf                           |  3 ++
 .../0002-kata-shim-modify-make-flags.patch    | 29 ++++++++++++
 shim/series.conf                              |  1 +
 9 files changed, 146 insertions(+), 1 deletion(-)
 create mode 100644 agent/patches/0019-kata-agent-modify-make-flags.patch
 create mode 100644 proxy/patches/0002-kata-proxy-modify-make-flags.patch
 create mode 100644 runtime/patches/0068-kata-runtime-modify-make-flags.patch
 create mode 100644 shim/patches/0002-kata-shim-modify-make-flags.patch

diff --git a/agent/patches/0019-kata-agent-modify-make-flags.patch b/agent/patches/0019-kata-agent-modify-make-flags.patch
new file mode 100644
index 0000000..50f88fc
--- /dev/null
+++ b/agent/patches/0019-kata-agent-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 1c7aaafa7b8691ea6ed6c910455567b36bb6f5ff Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:25:49 +0800
+Subject: [PATCH] kata-agent: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index e4fd243..26fe898 100644
+--- a/Makefile
++++ b/Makefile
+@@ -101,6 +101,9 @@ AGENT_IMAGE := katacontainers/agent-dev
+ AGENT_TAG := $(if $(COMMIT_NO_SHORT),$(COMMIT_NO_SHORT),dev)
+ 
+ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \
+ 		-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+ 
+-- 
+2.25.1
+
diff --git a/agent/series.conf b/agent/series.conf
index fc5adee..732fc3f 100644
--- a/agent/series.conf
+++ b/agent/series.conf
@@ -16,3 +16,4 @@
 0016-clock-synchronizes-clock-info-with-proxy.patch
 0017-agent-add-support-of-new-sandbox-StratoVirt.patch
 0018-kata-agent-update-nic-in-guest.patch
+0019-kata-agent-modify-make-flags.patch
diff --git a/kata-containers.spec b/kata-containers.spec
index 2e27435..79299ff 100644
--- a/kata-containers.spec
+++ b/kata-containers.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 
 %define VERSION v1.11.1
-%define RELEASE 10
+%define RELEASE 11
 
 Name:           kata-containers
 Version:        %{VERSION}
@@ -70,6 +70,7 @@ install -p -m 755 -D %{_builddir}/kernel/linux/arch/arm64/boot/Image %{buildroot
 
 cd %{_builddir}/kata_integration
 mkdir -p -m 750  %{buildroot}/usr/bin
+strip ./build/kata-runtime ./build/kata-proxy ./build/kata-shim ./build/kata-netmon
 install -p -m 750 ./build/kata-runtime ./build/kata-proxy ./build/kata-shim ./build/kata-netmon %{buildroot}/usr/bin/
 install -p -m 640 ./build/kata-containers-initrd.img %{buildroot}/var/lib/kata/
 mkdir -p -m 750 %{buildroot}/usr/share/defaults/kata-containers/
@@ -90,6 +91,12 @@ install -p -m 640 -D ./runtime/cli/config/configuration-qemu.toml %{buildroot}/u
 
 
 %changelog
+* Thu Mar 17 2021 jikui <jikui2@huawei.com> - 1.11.1-11
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:modify make flags
+
 * Tue Feb 23 2021 xinghe <xinghe1@huawei.com> - 1.11.1-10
 - Type:CVE
 - ID:NA
diff --git a/proxy/patches/0002-kata-proxy-modify-make-flags.patch b/proxy/patches/0002-kata-proxy-modify-make-flags.patch
new file mode 100644
index 0000000..b164997
--- /dev/null
+++ b/proxy/patches/0002-kata-proxy-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 2c5cbf2ca9624d5443ad334a8337cb58d57573b2 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:34:07 +0800
+Subject: [PATCH] kata-proxy: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index a1b3eee..07e9ba8 100644
+--- a/Makefile
++++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
diff --git a/proxy/series.conf b/proxy/series.conf
index 1f29a6e..c798bb5 100644
--- a/proxy/series.conf
+++ b/proxy/series.conf
@@ -1 +1,2 @@
 0001-clock-synchronizes-clock-info-to-agent.patch
+0002-kata-proxy-modify-make-flags.patch
diff --git a/runtime/patches/0068-kata-runtime-modify-make-flags.patch b/runtime/patches/0068-kata-runtime-modify-make-flags.patch
new file mode 100644
index 0000000..32e13bc
--- /dev/null
+++ b/runtime/patches/0068-kata-runtime-modify-make-flags.patch
@@ -0,0 +1,45 @@
+From 883dac2d9cd4daea88a9ac0325df02d1de578168 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:48:11 +0800
+Subject: [PATCH] kata-runtime: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b62e64b..6b9f764 100644
+--- a/Makefile
++++ b/Makefile
+@@ -521,7 +521,11 @@ containerd-shim-v2: $(SHIMV2_OUTPUT)
+ netmon: $(NETMON_TARGET_OUTPUT)
+ 
+ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+-	$(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
++	$(QUIET_BUILD)(cd $(NETMON_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -559,7 +563,11 @@ GENERATED_FILES += $(CLI_DIR)/config-generated.go
+ GENERATED_FILES += pkg/katautils/config-settings.go
+ 
+ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+-	$(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
++	$(QUIET_BUILD)(cd $(CLI_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .)
+-- 
+2.25.1
+
diff --git a/runtime/series.conf b/runtime/series.conf
index 462da99..78b2c57 100644
--- a/runtime/series.conf
+++ b/runtime/series.conf
@@ -63,3 +63,6 @@
 0063-kata-runtime-fix-get-sandbox-cpu-resources-problem.patch
 0064-runtime-add-support-for-stratovirt-of-kata-check-cli.patch
 0065-runtime-fixup-that-the-getPids-function-returns-pid-.patch
+0066-CVE-2020-28914-1.patch
+0067-CVE-2020-28914-2.patch
+0068-kata-runtime-modify-make-flags.patch
diff --git a/shim/patches/0002-kata-shim-modify-make-flags.patch b/shim/patches/0002-kata-shim-modify-make-flags.patch
new file mode 100644
index 0000000..290d3ed
--- /dev/null
+++ b/shim/patches/0002-kata-shim-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 0a4adf4ffafd31820c471353757de2a6e2260e39 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:52:27 +0800
+Subject: [PATCH] kata-shim: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 5cba637..b244053 100644
+--- a/Makefile
++++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
diff --git a/shim/series.conf b/shim/series.conf
index ce1ab40..f9a1be0 100644
--- a/shim/series.conf
+++ b/shim/series.conf
@@ -1 +1,2 @@
 0001-kata-shim-fix-kata-shim-process-wait-long-tim.patch
+0002-kata-shim-modify-make-flags.patch
-- 
Gitee