From 8a942422dac52859f887fff0483c9c09c4f97aab Mon Sep 17 00:00:00 2001
From: Janek Bevendorff <janek@jbev.net>
Date: Fri, 10 Mar 2017 13:23:46 +0100
Subject: [PATCH] Harden Linux binary

---
 CMakeLists.txt | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 51773ba02..a0326997d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -68,7 +68,7 @@ endmacro(add_gcc_compiler_flags)
 
 add_definitions(-DQT_NO_EXCEPTIONS -DQT_STRICT_ITERATORS -DQT_NO_CAST_TO_ASCII)
 
-add_gcc_compiler_flags("-fno-common -fstack-protector --param=ssp-buffer-size=4")
+add_gcc_compiler_flags("-fno-common -fstack-protector-strong --param=ssp-buffer-size=4")
 add_gcc_compiler_flags("-Wall -Wextra -Wundef -Wpointer-arith -Wno-long-long")
 add_gcc_compiler_flags("-Wformat=2 -Wmissing-format-attribute")
 add_gcc_compiler_flags("-fvisibility=hidden")
@@ -79,7 +79,7 @@ add_gcc_compiler_cxxflags("-Wnon-virtual-dtor -Wold-style-cast -Woverloaded-virt
 add_gcc_compiler_cflags("-Wchar-subscripts -Wwrite-strings")
 
 string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER)
-if (CMAKE_BUILD_TYPE_LOWER MATCHES (release|relwithdebinfo|minsizerel))
+if (CMAKE_BUILD_TYPE_LOWER MATCHES "(release|relwithdebinfo|minsizerel)")
   add_gcc_compiler_flags("-D_FORTIFY_SOURCE=2")
 endif()
 
@@ -105,10 +105,14 @@ if(CMAKE_COMPILER_IS_GNUCC)
 endif()
 
 if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+  if (CMAKE_COMPILER_IS_CLANGXX)
+      add_gcc_compiler_flags("-Qunused-arguments")
+  endif()
+  add_gcc_compiler_flags("-pie -fPIE")
   set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--no-add-needed -Wl,--as-needed -Wl,--no-undefined")
-  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
   set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,--no-add-needed -Wl,--as-needed")
-  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,-z,relro")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
 endif()
 
 add_gcc_compiler_cxxflags("-std=c++11")