Apply PIE and ELF compiler option hardening (#2282)

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

Author: jviotti

cmake/common/targets/executable.cmake

@@ -30,5 +30,45 @@ function(sourcemeta_executable)
 
   add_executable("${TARGET_NAME}" ${SOURCEMETA_EXECUTABLE_SOURCES})
   sourcemeta_add_default_options(PRIVATE ${TARGET_NAME})
+
+  # See https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+  # Position Independent Executable (PIE) for ASLR support
+  if(SOURCEMETA_COMPILER_LLVM OR SOURCEMETA_COMPILER_GCC)
+    target_compile_options(${TARGET_NAME} PRIVATE
+      $<$<CONFIG:Release>:-fPIE>
+      $<$<CONFIG:RelWithDebInfo>:-fPIE>
+      $<$<CONFIG:MinSizeRel>:-fPIE>)
+    target_link_options(${TARGET_NAME} PRIVATE
+      $<$<CONFIG:Release>:-pie>
+      $<$<CONFIG:RelWithDebInfo>:-pie>
+      $<$<CONFIG:MinSizeRel>:-pie>)
+  endif()
+
+  # See https://learn.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard
+  # See https://learn.microsoft.com/en-us/cpp/build/reference/cetcompat
+  if(SOURCEMETA_COMPILER_MSVC)
+    target_compile_options(${TARGET_NAME} PRIVATE /guard:cf)
+    target_link_options(${TARGET_NAME} PRIVATE /guard:cf /CETCOMPAT)
+  endif()
+
+  # Linux-specific ELF linker hardening options
+  if(SOURCEMETA_OS_LINUX AND (SOURCEMETA_COMPILER_LLVM OR SOURCEMETA_COMPILER_GCC))
+    target_link_options(${TARGET_NAME} PRIVATE
+      "LINKER:-z,nodlopen"
+      "LINKER:-z,noexecstack"
+      "LINKER:-z,relro"
+      "LINKER:-z,now"
+      "LINKER:--as-needed")
+    if(CMAKE_VERSION VERSION_GREATER_EQUAL "3.18")
+      include(CheckLinkerFlag)
+      check_linker_flag(CXX "LINKER:--no-copy-dt-needed-entries"
+        SOURCEMETA_LINKER_NO_COPY_DT_NEEDED)
+      if(SOURCEMETA_LINKER_NO_COPY_DT_NEEDED)
+        target_link_options(${TARGET_NAME} PRIVATE
+          "LINKER:--no-copy-dt-needed-entries")
+      endif()
+    endif()
+  endif()
+
   set_target_properties("${TARGET_NAME}" PROPERTIES FOLDER "${FOLDER_NAME}")
 endfunction()