The current ebuild compiles fine on hardened gentoo (with PaX) but they won't run by default as the binaries contain relocations: # readelf -d /usr/bin/containerd-shim | grep TEXT 0x0000000000000016 (TEXTREL) 0x0 0x000000000000001e (FLAGS) TEXTREL BIND_NOW When trying to run them on default PaX settings: # containerd-shim --help containerd-shim: error while loading shared libraries: cannot make segment writable for relocation: Permission denied ( permission is denied for mprotect(0x79f5d3d000, 3522560, PROT_READ|PROT_WRITE) ) I was able to compile "containerd" binary without relocations similarly to how app-emulation/docker ebuild is doing it by setting -extldflags: LDFLAGS="-extldflags -fno-PIC" emake GIT_COMMIT="$EGIT_COMMIT" BUILDTAGS="${options[@]}" ... that compiled containerd without relocations but containerd-shim binary still contains them and I don't know why :( FYI app-emulation/docker is using this -extldflags only if gcc-specs-pie; then Hope it helps, thanks for adding hardened gentoo support for containerd if possible.
Created attachment 443870 [details, diff] support for hardened gentoo I figured it out. Upstream is not adding LDFLAGS into shim build line (https://github.com/docker/containerd/blob/master/Makefile). When added using sed, it compiles correctly without relocations.
It was solved by my accepted pull request (https://github.com/docker/containerd/commit/403ccb155bb1d4e5d1b32cad029fb26ec21172b4) so closing the bug report.