chore: Update compiler flags for security enhancements#447
chore: Update compiler flags for security enhancements#447deepin-bot[bot] merged 1 commit intolinuxdeepin:masterfrom
Conversation
As title Log: Update compiler flags for security enhancements Bug: https://pms.uniontech.com/bug-view-342665.html
Reviewer's guide (collapsed on small PRs)Reviewer's GuideConfigures additional compiler and linker hardening flags for release builds and adjusts existing C/C++ flag settings to append to, rather than overwrite, previously defined flags, with special handling for mips64 vs other architectures. Flow diagram for CMake release build hardening flags configurationflowchart TD
A[Configure_project] --> B{CMAKE_BUILD_TYPE STREQUAL Release}
B -- Yes --> C[Print Enable build hardening]
C --> D[Enable CMAKE_VERBOSE_MAKEFILE]
D --> E[Define HARDENING_FLAGS
-Wdate-time
-D_FORTIFY_SOURCE=2
-g
-O2
-ffile-prefix-map
-fstack-protector-strong
-fstack-clash-protection
-Wformat
-Werror=format-security]
E --> F[Append HARDENING_FLAGS to CMAKE_CXX_FLAGS]
F --> G[Append HARDENING_FLAGS to CMAKE_C_FLAGS]
G --> H[Append -Wl,-z,relro -Wl,-z,now to CMAKE_EXE_LINKER_FLAGS]
B -- No --> I[Use existing compiler and linker flags]
H --> J[Invoke add_subdirectory src]
I --> J
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Relying on
if(CMAKE_BUILD_TYPE STREQUAL "Release")means these hardening flags won't be applied for multi-config generators (e.g. Ninja Multi-Config, Visual Studio); consider using configuration-specific compile/link options instead of checkingCMAKE_BUILD_TYPEdirectly. - Enabling
CMAKE_VERBOSE_MAKEFILE ONunconditionally for Release builds can make normal build logs very noisy; it might be better to leave this under a developer toggle or only enable it for debugging specific issues. - Appending hardening options by modifying
CMAKE_C_FLAGS/CMAKE_CXX_FLAGSdirectly (including-g -O2) can override or conflict with user/toolchain-provided flags; usingadd_compile_options()/add_link_options()scoped to targets or configurations would be more robust and composable.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Relying on `if(CMAKE_BUILD_TYPE STREQUAL "Release")` means these hardening flags won't be applied for multi-config generators (e.g. Ninja Multi-Config, Visual Studio); consider using configuration-specific compile/link options instead of checking `CMAKE_BUILD_TYPE` directly.
- Enabling `CMAKE_VERBOSE_MAKEFILE ON` unconditionally for Release builds can make normal build logs very noisy; it might be better to leave this under a developer toggle or only enable it for debugging specific issues.
- Appending hardening options by modifying `CMAKE_C_FLAGS`/`CMAKE_CXX_FLAGS` directly (including `-g -O2`) can override or conflict with user/toolchain-provided flags; using `add_compile_options()`/`add_link_options()` scoped to targets or configurations would be more robust and composable.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
deepin pr auto review这份 1. 语法逻辑审查
2. 代码质量审查
3. 代码性能审查
4. 代码安全审查
总结与改进建议代码以下是综合上述建议的优化版本: 根目录 CMakeLists.txt: if(CMAKE_BUILD_TYPE STREQUAL "Release")
message(STATUS "Enable build hardening.")
# 移除 CMAKE_VERBOSE_MAKEFILE ON,保持构建日志简洁,如需调试可在外部开启
# 定义基础优化级别,子目录可覆盖或追加
set(OPTIMIZATION_FLAGS "-O2")
set(HARDENING_FLAGS "-Wdate-time -D_FORTIFY_SOURCE=2 -g ${OPTIMIZATION_FLAGS} -ffile-prefix-map=${CMAKE_SOURCE_DIR}=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${HARDENING_FLAGS}")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS}")
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro -Wl,-z,now")
endif()src/CMakeLists.txt: # 加速编译优化参数
if (CMAKE_HOST_SYSTEM_PROCESSOR MATCHES "mips64")
# 针对龙芯架构使用更激进的优化,覆盖之前的 -O2
# 注意:这里直接追加 -O3,由于命令行顺序,GCC通常会使用最后一个 -O 选项
set(ARCH_FLAGS "-O3 -ftree-vectorize -march=loongson3a -mhard-float -mno-micromips -mno-mips16 -flax-vector-conversions -mloongson-ext2 -mloongson-mmi")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} $ENV{CXXFLAGS} ${ARCH_FLAGS} -Wl,--as-needed -fPIE")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} $ENV{CFLAGS} ${ARCH_FLAGS} -Wl,--as-needed -fPIE")
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie")
else()
# 通用架构:保留根目录的 -O2,或者如果需要更高性能可改为 -O3
# 这里为了示例,我们显式使用 -O2,避免根目录 -O2 和这里可能的 -O3 混用
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} $ENV{CXXFLAGS} -Wl,--as-needed -fPIE")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} $ENV{CFLAGS} -Wl,--as-needed -fPIE")
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie")
endif()主要变更点说明:
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: lzwind, wangrong1069 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/forcemerge |
|
This pr force merged! (status: unstable) |
As title
Log: Update compiler flags for security enhancements
Bug: https://pms.uniontech.com/bug-view-342665.html
Summary by Sourcery
Strengthen compiler and linker configuration for more secure and consistent release builds.
Build: