Skip to content

chore: Update compiler flags for security enhancements #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
deepin-bot merged 2 commits into from
Jan 7, 2026
Merged

chore: Update compiler flags for security enhancements #84

deepin-bot merged 2 commits into from
Jan 7, 2026

Conversation

@wangrong1069
Copy link
Contributor

@wangrong1069 wangrong1069 commented Jan 7, 2026

No description provided.

@wangrong1069
chore: Update compiler flags for security enhancements
cca779e 
As title

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-339563.html
@wangrong1069
fix: Fix sw64 gcc not support pie by default
1bd2e8b 
Add the -fPIE parameter via CMAKE_POSITION_INDEPENDENT_CODE.
Add the -pie parameter via target_link_options.

Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-339563.html
@deepin-ci-robot
Copy link

deepin-ci-robot commented Jan 7, 2026

deepin pr auto review

我来对这个CMakeLists.txt的修改进行审查:

  1. 语法逻辑:
  • 语法正确,没有语法错误
  • CMake命令使用正确
  1. 代码质量:
  • 代码结构清晰,注释充分
  • SPDX许可证信息更新合理
  • 安全性相关配置的组织和注释都很规范
  1. 代码性能:
  • 启用了位置无关代码(-fPIE/-fPIC),这对性能有轻微影响,但换来的是安全性提升,是值得的权衡
  • 编译器标志设置合理
  1. 代码安全:
  • 安全性改进非常全面:
    • 启用了位置无关代码(CMAKE_POSITION_INDEPENDENT_CODE ON)
    • 启用了PIE(Position Independent Executable)
    • 启用了RELRO(Relocation Read-Only)保护
    • 启用了立即绑定(NOW)

改进建议:

  1. 考虑将安全相关的编译选项集中管理,例如创建一个函数或宏来统一设置,这样便于维护:
function(set_security_flags target)
    if(NOT ${CMAKE_SYSTEM_PROCESSOR} MATCHES "sw_64")
        target_compile_options(${target} PRIVATE -Wall -Wl,--as-need -fPIE)
        target_link_options(${target} PRIVATE -pie -Wl,-z,relro -Wl,-z,now)
    endif()
endfunction()
  1. 可以考虑添加更多的安全编译选项:
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong")
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,noexecstack")
  1. 建议在条件判断中使用更明确的布尔表达式:
if(NOT CMAKE_SYSTEM_PROCESSOR MATCHES "sw_64")
  1. 建议将重复的编译器标志设置合并:
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Wl,--as-need -fPIE -Wno-error=incompatible-pointer-types")

总体来说,这是一个很好的安全性改进,主要增加了ASLR、PIE和RELRO等安全特性,有助于提高程序的安全性。代码组织清晰,注释充分,易于理解和维护。

@deepin-ci-robot
Copy link

deepin-ci-robot commented Jan 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lzwind, wangrong1069

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wangrong1069
Copy link
Contributor Author

wangrong1069 commented Jan 7, 2026

/merge

@deepin-bot deepin-bot bot merged commit 88727c8 into linuxdeepin:master Jan 7, 2026
17 checks passed
@wangrong1069 wangrong1069 deleted the pr0107 branch January 7, 2026 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lzwind lzwind lzwind approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wangrong1069 @deepin-ci-robot @lzwind