Skip to content

Commit 86415bc

Browse files
committed
refactor: update build flags and security hardening
1. Removed -Wall from CMakeLists.txt since it's now handled in debian/ rules 2. Added comprehensive security hardening flags in debian/rules including: - Stack protection (-fstack-protector-all) - Relocation hardening (-Wl,-z,relro) - Immediate binding (-Wl,-z,now) - No executable stack (-Wl,-z,noexecstack) 3. Kept -Wextra warnings in CMake for additional checks 4. Moved linker flag --as-needed to debian/rules for consistency The changes improve security hardening while maintaining warning levels and cleaning up flag organization between build systems. refactor: 更新构建标志和安全加固 1. 从 CMakeLists.txt 中移除 -Wall,因为它现在在 debian/rules 中处理 2. 在 debian/rules 中添加全面的安全加固标志,包括: - 栈保护 (-fstack-protector-all) - 重定位加固 (-Wl,-z,relro) - 立即绑定 (-Wl,-z,now) - 不可执行栈 (-Wl,-z,noexecstack) 3. 在 CMake 中保留 -Wextra 警告用于额外检查 4. 将链接器标志 --as-needed 移至 debian/rules 以保持一致性 这些更改在保持警告级别和清理构建系统间标志组织的同时,提高了安全加固 水平。
1 parent 345564f commit 86415bc

File tree

5 files changed

+25
-2
lines changed

5 files changed

+25
-2
lines changed

CMakeLists.txt

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,8 +71,7 @@ if(TARGET Qt6::QuickControls2 AND TARGET Qt6::QuickControls2Private)
7171
endif()
7272
endif()
7373

74-
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wextra")
75-
set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--as-needed")
74+
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wextra")
7675
if (CMAKE_BUILD_TYPE STREQUAL "Debug")
7776
# 加上 ASAN 检查后可能会导致 DEBUG 应用启动后退出。可以加上 ASAN_OPTIONS 环境变量来防止应用退出
7877
# ASAN_OPTIONS="halt_on_error=0" ASAN_OPTIONS="new_delete_type_mismatch=0"

debian/rules

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,12 @@ DPKG_EXPORT_BUILDFLAGS = 1
33
include /usr/share/dpkg/default.mk
44
export QT_SELECT = qt5
55

6+
# 安全编译参数
7+
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
8+
export DEB_CFLAGS_MAINT_APPEND = -Wall
9+
export DEB_CXXFLAGS_MAINT_APPEND = -Wall
10+
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E
11+
612
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
713

814
VERSION = $(DEB_VERSION_UPSTREAM)

qt6/src/CMakeLists.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,12 @@ target_link_libraries(${PLUGIN_NAME} PRIVATE
7070
${LIB_NAME}
7171
)
7272

73+
# 禁用此插件的 RPATH/RUNPATH,因为依赖库在标准系统路径中
74+
set_target_properties(${PLUGIN_NAME} PROPERTIES
75+
INSTALL_RPATH ""
76+
BUILD_WITH_INSTALL_RPATH TRUE
77+
)
78+
7379
# Install library
7480
install(TARGETS ${LIB_NAME} EXPORT Dtk${DTK_VERSION_MAJOR}DeclarativeTargets DESTINATION "${LIB_INSTALL_DIR}")
7581
# Install export targets

qt6/src/qml/private/CMakeLists.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,5 +26,11 @@ PRIVATE
2626
Qt${QT_VERSION_MAJOR}::Quick
2727
)
2828

29+
# 禁用此插件的 RPATH/RUNPATH,因为依赖库在标准系统路径中
30+
set_target_properties(dtkdeclarativeprivatesplugin PROPERTIES
31+
INSTALL_RPATH ""
32+
BUILD_WITH_INSTALL_RPATH TRUE
33+
)
34+
2935
install(TARGETS dtkdeclarativeprivatesplugin DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/private")
3036
install(DIRECTORY "${PLUGIN_OUTPUT_DIR}/${URI_PATH}/private/" DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/private")

qt6/src/qml/settings/CMakeLists.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,5 +35,11 @@ PRIVATE
3535
${LIB_NAME}
3636
)
3737

38+
# 禁用此插件的 RPATH/RUNPATH,因为依赖库在标准系统路径中
39+
set_target_properties(dtkdeclarativesettingsplugin PROPERTIES
40+
INSTALL_RPATH ""
41+
BUILD_WITH_INSTALL_RPATH TRUE
42+
)
43+
3844
install(TARGETS dtkdeclarativesettingsplugin DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/settings")
3945
install(DIRECTORY "${PLUGIN_OUTPUT_DIR}/${URI_PATH}/settings/" DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/settings")

0 commit comments

Comments
 (0)