chore: Update compiler flags for security enhancements

[wangrong1069]

As title

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-339563.html

Summary by Sourcery

Build:

• Increase _FORTIFY_SOURCE level and enable additional linker hardening options (RELRO and immediate symbol binding) in the global C++ compiler flags.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Tightens C++ compilation security by correcting the FORTIFY macro and enabling RELRO and immediate binding in the linker flags.

File-Level Changes

Change	Details	Files
Strengthened compiler and linker security flags for all C++ builds.	Corrected the fortify macro from _FORTITY_SOURCE=1 to _FORTIFY_SOURCE=2 to enable stronger glibc fortification checks. Added linker flags -Wl,-z,relro and -Wl,-z,now to enable RELRO and immediate symbol binding, hardening against certain memory corruption and GOT/PLT-based attacks. Kept existing stack protector, non-executable stack, PIE, PIC, and lazy binding flags while extending them with the new hardening options.	CMakeLists.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider scoping these security-related flags via add_compile_options/target_compile_options and target_link_options rather than appending to CMAKE_CXX_FLAGS, so they only apply to intended targets and are easier to override in subprojects.
• Since -Wl,-z,relro -Wl,-z,now are linker flags, it may be cleaner and more portable to move them into CMAKE_EXE_LINKER_FLAGS/CMAKE_SHARED_LINKER_FLAGS or target_link_options instead of mixing them into CMAKE_CXX_FLAGS.
• You might want to guard these flags with compiler/linker checks (e.g., using check_cxx_compiler_flag or try_link) to avoid build failures on toolchains that do not support -z noexecstack, relro, or now.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider scoping these security-related flags via `add_compile_options`/`target_compile_options` and `target_link_options` rather than appending to `CMAKE_CXX_FLAGS`, so they only apply to intended targets and are easier to override in subprojects.
- Since `-Wl,-z,relro -Wl,-z,now` are linker flags, it may be cleaner and more portable to move them into `CMAKE_EXE_LINKER_FLAGS`/`CMAKE_SHARED_LINKER_FLAGS` or `target_link_options` instead of mixing them into `CMAKE_CXX_FLAGS`.
- You might want to guard these flags with compiler/linker checks (e.g., using `check_cxx_compiler_flag` or `try_link`) to avoid build failures on toolchains that do not support `-z noexecstack`, `relro`, or `now`.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来对这个CMakeLists.txt的diff变更进行审查：

1. 安全编译参数变更分析：

-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong -D_FORTITY_SOURCE=1 -z noexecstack -pie -fPIC -z lazy")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong -D_FORTIFY_SOURCE=2 -z noexecstack -pie -fPIC -z lazy -Wl,-z,relro -Wl,-z,now")

2. 主要改进点：

a) _FORTIFY_SOURCE级别提升：

• 从1提升到2，这是正确的改进
• _FORTIFY_SOURCE=2提供更强的缓冲区溢出检查
• 建议配合-O2或-O3优化级别使用，因为某些检查需要优化支持

b) 新增链接时保护：

• 添加了-Wl,-z,relro（重定位只读）
• 添加了-Wl,-z,now（立即绑定）
• 这两个参数可以有效防止GOT/PLT攻击

3. 潜在问题及建议：

a) 编译选项组织：

• 建议将安全相关的编译选项单独定义，便于维护
• 可以考虑使用CMAKE_CXX_FLAGS_RELEASE和CMAKE_CXX_FLAGS_DEBUG分别设置

b) 缺失的安全选项：

• 建议添加-fPIE（位置无关可执行文件）
• 可以考虑添加-Wformat -Wformat-security来防止格式化字符串漏洞
• 建议添加-D_GLIBCXX_ASSERTIONS来增强STL检查

c) 建议的改进版本：

# 安全编译选项
set(SECURITY_COMPILE_FLAGS
    "-fstack-protector-strong"
    "-D_FORTIFY_SOURCE=2"
    "-fPIE"
    "-Wformat"
    "-Wformat-security"
    "-D_GLIBCXX_ASSERTIONS"
)

# 安全链接选项
set(SECURITY_LINK_FLAGS
    "-Wl,-z,relro"
    "-Wl,-z,now"
    "-Wl,-z,noexecstack"
)

# 应用安全选项
foreach(flag ${SECURITY_COMPILE_FLAGS})
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${flag}")
endforeach()

foreach(flag ${SECURITY_LINK_FLAGS})
    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${flag}")
endforeach()

4. 其他建议：

   • 考虑添加编译器警告级别设置，如-Wall -Wextra
   • 可以添加-fno-common来防止全局变量重复定义
   • 建议在Debug模式下禁用某些优化以便调试

5. 总结：
   这个变更总体上是积极的，提升了二进制程序的安全性。但建议进一步优化配置的组织方式，并考虑添加更多的安全选项来构建更安全的程序。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, wangrong1069

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangrong1069]

/merge