cmd/go/internal/work/security: add `-ftls-model=(.*)` to safelist

[pdecat]

Go version

go version go1.23.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/root/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/build/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build198491779=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Added -ftls-model=local-dynamic to a # cgo CFLAGS: directive to work-around issues with initial-exec thread-local storage model on alpine with musl.

What did you see happen?

CGO_ENABLED=1 go build -v -o steampipe_postgres_fdw.a  -tags "netgo" -buildmode=c-archive ../*.go
runtime/cgo
os/user
command-line-arguments
command-line-arguments: invalid flag in #cgo CFLAGS: -ftls-model=local-dynamic

What did you expect to see?

Build should work normally.

Work-around: define CGO_CFLAGS_ALLOW='-ftls-model=(.*)' environment variable.

[gabyhelp]

Related Issues and Documentation

• cmd/go: allow flags in CGO_LDFLAGS environment variable not in security allowlist #42565 (closed)
• cmd/cgo: after upgrade from 1.9.2 to 1.10, cgo compile fails with "invalid flag in #cgo LDFLAGS: -Wl,-z,relro" #24124 (closed)
• x/tools/gopls: negated build flag causes error #59346
• cmd/go: add more options to security whitelist #23937 (closed)
• cmd/go: Build information embedded by Go 1.18 impairs build reproducibility with cgo flags #52372 (closed)
• cls #67514 (closed)
• cmd/go: allow passing -U flag in cgo CFLAGS #34730 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mknyszek]

@golang/tools-team

[matloob]

Is there a list of valid values of ftls-model? Could we make the regexp more restrictive? I think it should at least be '-ftls-model=([a-z-]*)' assuming that all the valid values match? (Doing a quick search they seem to?)

[pdecat]

According to GCC docs, valid values are: global-dynamic, local-dynamic, initial-exec and local-exec.

[matloob]

Okay, then I think we should we add -ftls-model=(global-dynamic|local-dynamic|initial-exec|local-exec)

[gopherbot]

Change https://go.dev/cl/617136 mentions this issue: cmd/go/internal/security: add -ftls-model to valid compiler flags