Native Executable --no-pie

[brunocaballero]

Describe the bug

By default, the linker option -H:NativeLinkerOption=-no-pie is used when building a native image with Quarkus.

Please make this option configurable

[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildRunner] /home/microdoc/P172300/shipping/graalvm-java17/bin/native-image -J-Dsun.nio.ch.maxUpdateArraySize=100 -J-Dlogging.initial-configurator.min-level=500 -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory -J-Dvertx.disableDnsResolver=true -J-Dio.netty.leakDetection.level=DISABLED -J-Dio.netty.allocator.maxOrder=3 -J-Duser.language=en -J-Duser.country=US -J-Dfile.encoding=UTF-8 --features=io.quarkus.runner.Feature,io.quarkus.runtime.graal.DisableLoggingFeature -H:-ParseOnce -J--add-exports=java.security.jgss/sun.security.krb5=ALL-UNNAMED -J--add-opens=java.base/java.text=ALL-UNNAMED -J--add-opens=java.base/java.io=ALL-UNNAMED -J--add-opens=java.base/java.lang.invoke=ALL-UNNAMED -J--add-opens=java.base/java.util=ALL-UNNAMED -H:+AllowFoldMethods -J-Djava.awt.headless=true --no-fallback --link-at-build-time -H:+ReportExceptionStackTraces -H:-AddAllCharsets --enable-url-protocols=http -H:NativeLinkerOption=-no-pie -H:-UseServiceLoaderFeature -H:+StackTrace -J--add-exports=org.graalvm.sdk/org.graalvm.nativeimage.impl=ALL-UNNAMED --exclude-config io\.netty\.netty-codec /META-INF/native-image/io\.netty/netty-codec/generated/handlers/reflect-config\.json --exclude-config io\.netty\.netty-handler /META-INF/native-image/io\.netty/netty-handler/generated/handlers/reflect-config\.json getting-started-1.0.0-SNAPSHOT-runner -jar getting-started-1.0.0-SNAPSHOT-runner.jar

Expected behavior

Some operating system configuration expects binaries to be PIE.

Actual behavior

_No respon

How to Reproduce?

Follow the instructions on https://quarkus.io/guides/building-native-image

Output of uname -a or ver

6.1.0-8-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.25-1 (2023-04-22) x86_64 GNU/Linux

Output of java -version

17.0.7-release+8

GraalVM version (if different from Java)

22.3

Quarkus version or git rev

3.0.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

3.8.7

Additional information

No response

[geoand]

By default, the linker option -H:NativeLinkerOption=-no-pie is used when building a native image with Quarkus.

This isn't entirely true - here is the code that decides whether the flag should be added or not:

        boolean isContainerBuild = nativeImageRunner.isContainerBuild();
        if (!isContainerBuild && SystemUtils.IS_OS_LINUX) {
            noPIE = detectNoPIE();
        }

and

    private static String detectNoPIE() {
        String argument = testGCCArgument("-no-pie");

        return argument.length() == 0 ? testGCCArgument("-nopie") : argument;
    }

    private static String testGCCArgument(String argument) {
        try {
            Process gcc = new ProcessBuilder("cc", "-v", "-E", argument, "-").start();
            gcc.getOutputStream().close();
            if (gcc.waitFor() == 0) {
                return argument;
            }

        } catch (IOException | InterruptedException e) {
            // eat
        }

        return "";
    }

[geoand]

I'll leave this one up to @zakkak to decide if there is anything we need to do in Quarkus

[zakkak]

@brunocaballero you should be able to override the -no-pie options by passing -Dquarkus.native.additional-build-args=-H:NativeLinkerOption=-pie to your build. Can you please give this a try?

[brunocaballero]

no change, because is always added at the end of the linker command

[brunocaballero]

I was able to generate an application and run it on the target by keeping the temporary files of the build process and repeating the linker command without the -no-pie option.

I think you should add an option in order to make optional generating a no PIE binary., becuase PIE binaries are more secure.

Is there a reason why you are disabling it?

[zakkak]

Is there a reason why you are disabling it?

AFAIK the reason we don't want it enabled by default is performance, see https://www.redhat.com/en/blog/position-independent-executable-pie-performance

no change, because is always added at the end of the linker command

I see, that's because NativeLinkerOption is MultiOption meaning that you can't override a previous value by passing it again, instead it just adds the new value as well.

I think you should add an option in order to make optional generating a no PIE binary., becuase PIE binaries are more secure.

I agree.

[zakkak]

I started a discussion on how to approach this in https://groups.google.com/g/quarkus-dev/c/8v20Edl5nl8/m/iGegsIA_CwAJ

[maxandersen]

@brunocaballero can you give examples of which system configurations you are thinking about preferring pie? (not doubting they exist, just wondering if something specific about it.

[brunocaballero]

Android 5.0 and later only support position-independent executables.

[geoand]

You plan to use Quarkus on Android?

[maxandersen]

Android has all kinds of fun.

[galderz]

You plan to use Quarkus on Android?

@brunocaballero was in last year's GraalVM Community Meetup in Zurich, they help people run JVM and GraalVM in lesser known/used platforms.

[geoand]

Very cool

[galderz]

@brunocaballero FYI PR: #33931

[brunocaballero]

Thanks a lot!