From a5d9eaca55709df129d15341741fc04d6f764873 Mon Sep 17 00:00:00 2001 From: yeshanshan Date: Thu, 3 Jul 2025 13:22:54 +0800 Subject: [PATCH] fix: enhance build security hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Added security hardening compiler flags in debian/rules including stack protection and RELRO 2. Removed redundant linker flag from dtkgui.cmake that was already set in debian/rules 3. Consolidated security-related build flags in debian/rules for better maintainability 4. The changes improve binary security against common exploits while maintaining compatibility fix: 增强构建安全加固 1. 在debian/rules中添加了安全加固编译标志,包括栈保护和RELRO 2. 从dtkgui.cmake中移除了已在debian/rules中设置的冗余链接器标志 3. 将安全相关的构建标志整合到debian/rules中以提高可维护性 4. 这些改动提高了二进制文件对常见漏洞攻击的防护能力,同时保持兼容性 --- debian/rules | 6 ++++++ dtkgui.cmake | 1 - 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index f23a61dd..105935ec 100755 --- a/debian/rules +++ b/debian/rules @@ -3,6 +3,12 @@ DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/default.mk export QT_SELECT = qt5 +# 安全编译参数 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND = -Wall +export DEB_CXXFLAGS_MAINT_APPEND = -Wall +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E + DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) VERSION = $(DEB_VERSION_UPSTREAM) diff --git a/dtkgui.cmake b/dtkgui.cmake index 9a0c2e4f..c721fff7 100644 --- a/dtkgui.cmake +++ b/dtkgui.cmake @@ -43,7 +43,6 @@ set(CONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/cmake/Dtk${DTK_VERSION_MAJOR}Gui set(PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wextra -fopenmp") -set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--as-needed") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie") if (CMAKE_BUILD_TYPE STREQUAL "Debug") set(BUILD_TESTING ON)