chore: enable PIE in dynamic builds

[wfrisch]

This change makes dynamic executables position-independent.

Summary by CodeRabbit

• Chores
  • Build configuration updated so dynamically linked binaries are produced as position-independent executables (PIE), improving runtime hardening and compatibility with stricter platform security policies.
  • No functional behavior changes expected; existing flags and control flow remain unchanged.
  • Binary artifacts may differ at the build level, but packaging and deployment workflows are unaffected.

[coderabbitai]

Walkthrough

The Makefile's dynamic-link build flags now include -buildmode=pie in GO_LDFLAGS_DYNAMIC, making dynamic-link builds explicitly position-independent; other flags and build targets are unchanged. (50 words)

Changes

Cohort / File(s)	Summary of changes
Build configuration Makefile	Added -buildmode=pie to GO_LDFLAGS_DYNAMIC (used by the dynamic-link go build invocation); preserved existing -X version/git ldflags, -tags dynamic, and $(COVERAGE_FLAG).

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer / CI
    participant Make as Makefile
    participant Go as go build

    Dev->>Make: invoke make target (dynamic-link)
    Note right of Make: GO_LDFLAGS_DYNAMIC includes\n`-X Version=... -X GitCommit=... -buildmode=pie`
    Make->>Go: go build -tags dynamic -ldflags "$(GO_LDFLAGS_DYNAMIC)" $(COVERAGE_FLAG)
    alt build succeeds
        Go-->>Make: binary (PIE dynamic)
        Make-->>Dev: artifact
    else build fails
        Go-->>Make: error
        Make-->>Dev: failure
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

I twitch my nose at flags that gleam,
A PIE now bakes within our build stream.
Hops of bytes, position-free,
Linking light as prairie breeze.
Carrot-compiled, I cheer with glee! 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly and accurately describes the main change of enabling PIE in dynamic builds by adding the relevant build flag, matching the content of the pull request without unnecessary detail or ambiguity.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b0e65d and 44177aa.

📒 Files selected for processing (1)

• Makefile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Makefile

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🧪 Early access (Sonnet 4.5): enabled

We are currently testing the Sonnet 4.5 model, which is expected to improve code review quality. However, this model may lead to increased noise levels in the review comments. Please disable the early access features if the noise level causes any inconvenience.

Note:

• Public repositories are always opted into early access features.
• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

Makefile (1)

73-73: Good security improvement, but consider consistency with static build.

Enabling PIE for dynamic builds is a valuable security enhancement that enables ASLR. The implementation is correct and will work as intended.

However, for better maintainability, consider defining the PIE flag in the GO_LDFLAGS_DYNAMIC variable (similar to how GO_LDFLAGS includes -buildmode=pie on line 23) rather than adding it inline. This would make future updates to build flags easier to manage consistently across both build targets.

Optional refactor: Apply this diff to align with the static build pattern:

 GO_LDFLAGS_DYNAMIC := -X github.com/mozillazg/ptcpdump/internal.Version=$(VERSION)
 GO_LDFLAGS_DYNAMIC += -X github.com/mozillazg/ptcpdump/internal.GitCommit=$(GIT_COMMIT)
+GO_LDFLAGS_DYNAMIC += -buildmode=pie

Then update line 73:

-	CGO_ENABLED=1 go build -buildmode=pie -tags dynamic -ldflags "$(GO_LDFLAGS_DYNAMIC)" $(COVERAGE_FLAG)
+	CGO_ENABLED=1 go build -tags dynamic -ldflags "$(GO_LDFLAGS_DYNAMIC)" $(COVERAGE_FLAG)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7eefa8 and 3b0e65d.

📒 Files selected for processing (1)

• Makefile (1 hunks)

[coveralls]

coverage: 73.632% (+0.3%) from 73.348%
when pulling 44177aa on wfrisch:enable-PIE
into a7eefa8 on mozillazg:master.

[mozillazg]

LGTM, Thanks for your contribution!