fix: Fix sw64 gcc not support pie by default

[wangrong1069]

Add the -fPIE parameter via CMAKE_POSITION_INDEPENDENT_CODE.
Add the -pie parameter via target_link_options.

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-339563.html

Summary by Sourcery

Enable position-independent code and executables across key file manager components to address platform-specific PIE defaults and improve security.

Build:

• Turn on CMAKE_POSITION_INDEPENDENT_CODE globally to compile position-independent code by default.
• Add -pie linker options to main file manager, dialogs, preview, daemon, and diskencrypt executables to produce position-independent executables.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangrong1069

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Reviewer's Guide

This PR enables position-independent code (PIE) across the project to address a sw64 GCC default behavior, by turning on global PIE compilation and adding PIE linker flags to key executables for improved security and compatibility.

Flow diagram for CMake build process with PIE flags

flowchart TD
    A["Configure CMake"] --> B{"CMAKE_POSITION_INDEPENDENT_CODE"}
    B -->|ON in root CMakeLists| C["Compile sources with -fPIE"]

    C --> D["Per-target CMakeLists"]

    D --> E_dde_file_manager["dde_file_manager adds target_link_options(-pie)"]
    D --> E_dde_file_dialog["dde_file_dialog adds target_link_options(-pie)"]
    D --> E_dde_file_dialog_x11["dde_file_dialog_x11 adds target_link_options(-pie)"]
    D --> E_dde_file_dialog_wayland["dde_file_dialog_wayland adds target_link_options(-pie)"]
    D --> E_filepreview["filepreview adds target_link_options(-pie)"]
    D --> E_diskencrypt["diskencrypt adds target_link_options(-pie)"]
    D --> E_daemon["dde_file_manager_daemon adds target_link_options(-pie)"]

    E_dde_file_manager --> F["Link executables with -pie"]
    E_dde_file_dialog --> F
    E_dde_file_dialog_x11 --> F
    E_dde_file_dialog_wayland --> F
    E_filepreview --> F
    E_diskencrypt --> F
    E_daemon --> F

    F --> G["PIE-enabled binaries for sw64 gcc"]

Loading

File-Level Changes

Change	Details	Files
Enable global position-independent code generation for all targets via CMake.	Set CMAKE_POSITION_INDEPENDENT_CODE to ON at the top-level CMake configuration to add -fPIE/-fPIC as appropriate across targets Reliance on CMake’s built-in handling to propagate position-independent compilation flags to libraries/executables, potentially affecting all compiled objects	CMakeLists.txt
Link main GUI applications as position-independent executables (PIE).	Add -pie linker option to the Wayland file dialog target via target_link_options Add -pie linker option to the X11 file dialog target via target_link_options Add -pie linker option to the generic file dialog target via target_link_options Add -pie linker option to the file manager preview helper executable via target_link_options Add -pie linker option to the main file manager executable via target_link_options	src/apps/dde-file-dialog-wayland/CMakeLists.txt src/apps/dde-file-dialog-x11/CMakeLists.txt src/apps/dde-file-dialog/CMakeLists.txt src/apps/dde-file-manager-preview/filepreview/CMakeLists.txt src/apps/dde-file-manager/CMakeLists.txt
Link disk encryption service and file manager daemon as PIE executables.	Add -pie linker option to the diskencrypt service executable via target_link_options Add -pie linker option to the file manager daemon executable via target_link_options	src/services/diskencrypt/CMakeLists.txt src/apps/dde-file-manager-daemon/CMakeLists.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Enabling CMAKE_POSITION_INDEPENDENT_CODE globally may impact all targets including static libraries; consider restricting this setting to the specific targets or platforms (e.g., only sw64/gcc) that require PIE support.
• The target_link_options(... -pie) additions are duplicated across multiple CMakeLists; consider centralizing this in a common helper function or applying a target property from a shared CMake module to reduce repetition.
• It may be safer to gate -pie usage on compiler and platform checks (e.g., if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "sw64")) to avoid issues on toolchains that don’t support or need this flag.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Enabling `CMAKE_POSITION_INDEPENDENT_CODE` globally may impact all targets including static libraries; consider restricting this setting to the specific targets or platforms (e.g., only sw64/gcc) that require PIE support.
- The `target_link_options(... -pie)` additions are duplicated across multiple CMakeLists; consider centralizing this in a common helper function or applying a target property from a shared CMake module to reduce repetition.
- It may be safer to gate `-pie` usage on compiler and platform checks (e.g., `if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "sw64")`) to avoid issues on toolchains that don’t support or need this flag.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

这份 git diff 展示了对构建系统（CMake）的一系列修改，主要目的是为了增强可执行文件的安全性。以下是对该代码修改的详细审查和改进意见：

1. 修改意图分析

开发者通过修改多个 CMakeLists.txt 文件，引入了以下两个安全特性：

• CMAKE_POSITION_INDEPENDENT_CODE (PIC)：在根目录 CMakeLists.txt 中开启。这会告诉编译器生成位置无关代码，主要用于共享库，但结合 ASLR（地址空间布局随机化）也能提高安全性。
• -pie (Position Independent Executable)：在多个子应用（如 dde-file-dialog, dde-file-manager 等）的 CMakeLists.txt 中添加。这会告诉链接器生成位置无关可执行文件。

2. 代码审查

2.1 逻辑与语法

• 语法正确性：CMake 命令 set(CMAKE_POSITION_INDEPENDENT_CODE ON) 和 target_link_options(... PRIVATE -pie) 的语法是完全正确的，符合 CMake 标准。
• 逻辑一致性：
  • 在根目录开启 PIC 是合理的，因为现代编译器通常建议为所有代码生成 PIC，以便支持 ASLR。
  • 对可执行文件目标（add_executable）添加 -pie 标志是正确的做法，这通常与 PIC 配合使用。

2.2 代码质量

• 注释清晰：添加的注释 # Enable position-independent executables for improved security 清晰地解释了修改的原因，符合良好的编码规范。
• 可维护性：修改分散在各个子目录中。虽然这是 CMake 的常规做法，但如果未来需要统一管理链接器选项，可能需要考虑在更上层的 CMakeLists.txt 中定义通用的编译或链接选项。

2.3 性能影响

• 轻微开销：启用 PIC 和 PIE 会引入极小的性能开销（主要是由于增加了寄存器压力和间接寻址）。在现代 x86-64 架构上，这种开销通常可以忽略不计（通常在 1% 以内），考虑到安全性的大幅提升，这是一个值得的权衡。

2.4 安全性

• 显著提升：这是本次修改的核心亮点。
  • ASLR 支持：PIE 是操作系统实现 ASLR 的前提条件。没有 PIE，可执行文件的代码段基地址是固定的，攻击者更容易利用 ROP（面向返回编程）等攻击技术。
  • 防御漏洞利用：开启 PIE 使得攻击者更难预测跳转地址，从而有效缓解缓冲区溢出等内存破坏漏洞的利用。

3. 改进意见与建议

尽管当前的修改是正确且有益的，但在跨平台兼容性和构建系统健壮性方面还有优化空间：

建议 1：使用 CMake 内置属性替代直接传参（推荐）

直接使用 target_link_options(... -pie) 虽然可行，但 CMake 提供了更语义化的属性来处理这个问题，这有助于 CMake 处理不同编译器（如 GCC, Clang, MSVC）的差异。

修改建议：
将：

target_link_options(${PROJECT_NAME} PRIVATE -pie)

改为：

set_target_properties(${PROJECT_NAME} PROPERTIES POSITION_INDEPENDENT_CODE TRUE)

或者对于可执行文件，确保链接器标志正确，可以使用 CheckPIESupported 模块（CMake 3.14+）：

include(CheckPIESupported)
check_pie_supported()
# 如果支持，则设置属性
if(PIE_SUPPORTED)
    set_target_properties(${PROJECT_NAME} PROPERTIES POSITION_INDEPENDENT_CODE TRUE)
endif()

注意：对于可执行文件，POSITION_INDEPENDENT_CODE 属性通常足以触发编译器的 -fPIE 和链接器的 -pie（如果工具链支持）。

建议 2：增加编译器支持检查

为了防止在不支持 PIE 的旧版编译器或特定平台上构建失败，建议添加检查逻辑。

修改示例：

# 检查编译器是否支持 PIE
include(CheckCXXCompilerFlag)
check_cxx_compiler_flag("-pie" HAS_PIE_SUPPORT)

if(HAS_PIE_SUPPORT)
    target_link_options(${PROJECT_NAME} PRIVATE -pie)
endif()

建议 3：统一管理链接选项

由于几乎所有的可执行文件都需要添加 -pie，建议在根目录的 CMakeLists.txt 或者一个专门的 CompilerFlags.cmake 文件中定义一个通用的函数或宏，避免在每个子目录中重复代码。

修改示例：
在根目录或工具链文件中：

function(apply_security_settings TARGET)
    if(CMAKE_BUILD_TYPE STREQUAL "Release")
        # 启用 PIE
        if(NOT MSVC) # MSVC 处理方式不同
            target_link_options(${TARGET} PRIVATE -pie)
        endif()
    endif()
endfunction()

在子目录中调用：

apply_security_settings(${PROJECT_NAME})

4. 总结

这份代码修改在安全性方面是非常积极且必要的，能够有效提升二进制文件抵抗内存攻击的能力。代码本身没有语法错误。主要的改进方向在于增强跨平台兼容性和减少重复代码，通过使用 CMake 的内置属性或检查宏，可以使构建脚本更加健壮和易于维护。

[Johnson-zs]

/forcemerge

[deepin-bot]

This pr force merged! (status: behind)