refactor: update build flags and security hardening

1. Removed -Wall from CMakeLists.txt since it's now handled in debian/
rules
2. Added comprehensive security hardening flags in debian/rules
including:
   - Stack protection (-fstack-protector-all)
   - Relocation hardening (-Wl,-z,relro)
   - Immediate binding (-Wl,-z,now)
   - No executable stack (-Wl,-z,noexecstack)
3. Kept -Wextra warnings in CMake for additional checks
4. Moved linker flag --as-needed to debian/rules for consistency

The changes improve security hardening while maintaining warning levels
and cleaning up flag organization between build systems.

refactor: 更新构建标志和安全加固

1. 从 CMakeLists.txt 中移除 -Wall，因为它现在在 debian/rules 中处理
2. 在 debian/rules 中添加全面的安全加固标志，包括：
   - 栈保护 (-fstack-protector-all)
   - 重定位加固 (-Wl,-z,relro)
   - 立即绑定 (-Wl,-z,now)
   - 不可执行栈 (-Wl,-z,noexecstack)
3. 在 CMake 中保留 -Wextra 警告用于额外检查
4. 将链接器标志 --as-needed 移至 debian/rules 以保持一致性

这些更改在保持警告级别和清理构建系统间标志组织的同时，提高了安全加固
水平。

Author: 18202781743

CMakeLists.txt

@@ -71,8 +71,7 @@ if(TARGET Qt6::QuickControls2 AND TARGET Qt6::QuickControls2Private)
 endif()
 endif()
 
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wextra")
-set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--as-needed")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wextra")
 if (CMAKE_BUILD_TYPE STREQUAL "Debug")
     # 加上 ASAN 检查后可能会导致 DEBUG 应用启动后退出。可以加上 ASAN_OPTIONS 环境变量来防止应用退出
     # ASAN_OPTIONS="halt_on_error=0" ASAN_OPTIONS="new_delete_type_mismatch=0"

debian/rules

@@ -3,6 +3,12 @@ DPKG_EXPORT_BUILDFLAGS = 1
 include /usr/share/dpkg/default.mk
 export QT_SELECT = qt5
 
+# 安全编译参数
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_CFLAGS_MAINT_APPEND = -Wall
+export DEB_CXXFLAGS_MAINT_APPEND = -Wall
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E
+
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 
 VERSION = $(DEB_VERSION_UPSTREAM)

qt6/src/CMakeLists.txt

@@ -70,6 +70,12 @@ target_link_libraries(${PLUGIN_NAME} PRIVATE
     ${LIB_NAME}
 )
 
+# 禁用此插件的 RPATH/RUNPATH，因为依赖库在标准系统路径中
+set_target_properties(${PLUGIN_NAME} PROPERTIES
+    INSTALL_RPATH ""
+    BUILD_WITH_INSTALL_RPATH TRUE
+)
+
 # Install library
 install(TARGETS ${LIB_NAME} EXPORT Dtk${DTK_VERSION_MAJOR}DeclarativeTargets DESTINATION "${LIB_INSTALL_DIR}")
 # Install export targets

qt6/src/qml/private/CMakeLists.txt

@@ -26,5 +26,11 @@ PRIVATE
     Qt${QT_VERSION_MAJOR}::Quick
 )
 
+# 禁用此插件的 RPATH/RUNPATH，因为依赖库在标准系统路径中
+set_target_properties(dtkdeclarativeprivatesplugin PROPERTIES
+    INSTALL_RPATH ""
+    BUILD_WITH_INSTALL_RPATH TRUE
+)
+
 install(TARGETS dtkdeclarativeprivatesplugin DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/private")
 install(DIRECTORY "${PLUGIN_OUTPUT_DIR}/${URI_PATH}/private/" DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/private")

qt6/src/qml/settings/CMakeLists.txt

@@ -35,5 +35,11 @@ PRIVATE
     ${LIB_NAME}
 )
 
+# 禁用此插件的 RPATH/RUNPATH，因为依赖库在标准系统路径中
+set_target_properties(dtkdeclarativesettingsplugin PROPERTIES
+    INSTALL_RPATH ""
+    BUILD_WITH_INSTALL_RPATH TRUE
+)
+
 install(TARGETS dtkdeclarativesettingsplugin DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/settings")
 install(DIRECTORY "${PLUGIN_OUTPUT_DIR}/${URI_PATH}/settings/" DESTINATION "${QML_INSTALL_DIR}/${URI_PATH}/settings")