core/overreach: override runtime.secureMode for tracebacks on panics & fatals

Author: ignoramous

Makefile

@@ -9,7 +9,9 @@ DATESTR=$(shell date -u +'%Y%m%d%H%M%S')
 XGO_LDFLAGS='-s -w -X main.version=$(COMMIT_ID)'
 # github.com/xjasonlyu/tun2socks/blob/bf745d0e0/Makefile#L14
 LDFLAGS_DEBUG='-buildid= -X $(IMPORT_PATH)/intra/core.Date=$(DATESTR) -X $(IMPORT_PATH)/intra/core.Commit=$(COMMIT_ID)'
-LDFLAGS='-w -s -buildid= -X $(IMPORT_PATH)/intra/core.Date=$(DATESTR) -X $(IMPORT_PATH)/intra/core.Commit=$(COMMIT_ID)'
+# checklinkname to override runtime.secureMode; see: core/overreach.go
+# github.com/golang/go/issues/69868
+LDFLAGS='-checklinkname=0 -w -s -buildid= -X $(IMPORT_PATH)/intra/core.Date=$(DATESTR) -X $(IMPORT_PATH)/intra/core.Commit=$(COMMIT_ID)'
 CGO_LDFLAGS="$(CGO_LDFLAGS) -s -w -Wl,-z,max-page-size=16384"
 
 # github.com/golang/mobile/blob/a1d90793fc/cmd/gomobile/bind.go#L36

intra/core/overreach.go

@@ -14,3 +14,29 @@ import (
 func RuntimeEnviron() []string {
 	return syscall.Environ()
 }
+
+// github.com/golang/go/issues/69868
+// RuntimeSecureMode reports whether the Go runtime is in secure mode.
+// Unfortunately, Android apps have AT_SECURE set
+// (read bytes in /proc/self/auxv on non-rooted Androids).
+// This means, on Go runtime fatal / throws and a few kinds of panics,
+// only one line is output to logcat (Android's stderr) which makes it
+// hard to tell just what went wrong. Android, does use unwinder for
+// native apps, and the Android RunTime has its own unwinder;
+// both of which traceback seemingly oblivious to AT_SECURE.
+// Perhaps, there's security benefits to the Go runtime being this rigid
+// about GOTRACEBACK, but for goos.IsAndroid (and for apps with uid > 10000),
+// using AT_SECURE to determine "setuid-like" protections appears pointless.
+func RuntimeSecureMode() bool {
+	return runtime_iss()
+}
+
+//go:linkname runtime_iss runtime.isSecureMode
+func runtime_iss() bool
+
+// pushing func symbols does not work on go1.24+
+// but pushing vars apparently still works provided
+// -ldflags="checklinkname=0"
+
+//go:linkname iss runtime.secureMode
+var iss bool

intra/tunnel.go

@@ -521,7 +521,8 @@ func (t *rtunnel) stat() (*x.NetStat, error) {
 
 	uid := fmt.Sprintf("uid=%d", syscall.Getuid())
 	pid := fmt.Sprintf("pid=%d", syscall.Getpid())
-	out.GOSt.Args = strings.Join(append(os.Args, uid, pid), ";")
+	sec := fmt.Sprintf("sec=%t", core.RuntimeSecureMode())
+	out.GOSt.Args = strings.Join(append(os.Args, uid, pid, sec), ";")
 	out.GOSt.Env = strings.Join(core.RuntimeEnviron(), ";")
 	out.GOSt.Pers, _ = os.Executable()