Skip to content

fix: add security hardening flags to build rules #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
18202781743 merged 1 commit into from
Jul 3, 2025
Merged

fix: add security hardening flags to build rules #14

18202781743 merged 1 commit into from
Jul 3, 2025

Conversation

@18202781743
Copy link
Contributor

@18202781743 18202781743 commented Jul 3, 2025

  1. Added security hardening compiler flags including stack protection
    and RELRO
  2. Included additional warning flags (-Wall) for better code quality
    checking
  3. Set linker flags to enable security features like immediate binding
    and noexecstack
  4. These changes improve application security by enabling standard
    Debian hardening practices

fix: 添加安全加固编译参数到构建规则

  1. 添加了安全加固编译参数,包括栈保护和RELRO
  2. 包含额外的警告标志(-Wall)以改进代码质量检查
  3. 设置链接器标志以启用安全特性如立即绑定和noexecstack
  4. 这些变更通过启用标准的Debian加固实践提高了应用安全性

@18202781743 18202781743 requested review from BLumia and mhduiy July 3, 2025 07:32
@deepin-ci-robot
Copy link

deepin-ci-robot commented Jul 3, 2025

deepin pr auto review

这个提交的改动主要是为了提高软件包的安全性,通过添加一些编译选项来增强代码的安全性。具体来说,增加了以下安全编译参数:

  1. export DEB_BUILD_MAINT_OPTIONS = hardening=+all:启用所有可用的安全强化选项。
  2. export DEB_CFLAGS_MAINT_APPEND = -fstack-protector-all -Wall:启用堆栈保护,并启用所有警告。
  3. export DEB_CXXFLAGS_MAINT_APPEND = -fstack-protector-all -Wall:为C++代码启用堆栈保护,并启用所有警告。
  4. export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-E:链接器选项,包括减少不必要的库、启用只读重定位表、立即解析动态符号、禁用可执行栈。

总体来说,这些改动是积极的,有助于提高软件包的安全性。但是,还有一些细节需要注意:

  1. 重复的编译选项DEB_CFLAGS_MAINT_APPENDDEB_CXXFLAGS_MAINT_APPEND 都添加了 -fstack-protector-all -Wall,这可能是多余的,因为它们是针对C和C++代码的,如果代码中已经包含了这些选项,那么重复添加就没有意义了。

  2. 编译选项的顺序:在添加新的编译选项时,建议检查现有的编译选项顺序,以确保新的选项能够正确生效。例如,-Wall 应该在 -fstack-protector-all 之后,因为 -Wall 会显示所有警告,包括 -fstack-protector-all 可能引起的警告。

  3. 链接器选项的顺序:链接器选项的顺序也很重要,确保 -Wl,--as-needed-Wl,-z,relro 之前,因为 -Wl,--as-needed 会移除未使用的库,这可能会影响其他选项的效果。

  4. 文档和注释:建议在 debian/rules 文件中添加一些注释,说明为什么需要这些编译选项,以及它们如何提高软件的安全性。这有助于其他开发者理解这些改动的原因和重要性。

综上所述,这个提交的改动是积极的,有助于提高软件包的安全性。但是,需要注意重复的编译选项、编译选项的顺序和文档的完整性。

@18202781743
fix: add security hardening flags to build rules
ce0b905 
1. Added security hardening compiler flags including stack protection
and RELRO
2. Included additional warning flags (-Wall) for better code quality
checking
3. Set linker flags to enable security features like immediate binding
and noexecstack
4. These changes improve application security by enabling standard
Debian hardening practices

fix: 添加安全加固编译参数到构建规则

1. 添加了安全加固编译参数,包括栈保护和RELRO
2. 包含额外的警告标志(-Wall)以改进代码质量检查
3. 设置链接器标志以启用安全特性如立即绑定和noexecstack
4. 这些变更通过启用标准的Debian加固实践提高了应用安全性
@deepin-ci-robot
Copy link

deepin-ci-robot commented Jul 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 18202781743, mhduiy

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@18202781743 18202781743 merged commit 722fb49 into linuxdeepin:master Jul 3, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mhduiy mhduiy mhduiy approved these changes

@BLumia BLumia Awaiting requested review from BLumia

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@18202781743 @deepin-ci-robot @mhduiy