I have a Qt project that I'm compiling with GCC and MinGW for Ubuntu and Windows.
I got a requirement to harden it by adding the following LDFLAGS:
- Stack execution protection:
LDFLAGS="-z noexecstack"- Data relocation and protection (RELRO):
LDLFAGS="-z relro -z now"
The question is can this be done with .pro file and how? I found it easy to add LFLAGS and CFLAGS in the project file but couldn't find anything for LDFLAGS. Even the output Makefiles don't seem to have any LDFLAGS defined.
One way I found after long googling was to add QMAKE_CFLAGS_RELEASE += "--noexecstack" in the .pro file but I'm not convinced this is the right way.
After the line above, the generated Makefile looks like this:
CC = gcc
CXX = g++
DEFINES = -DUNICODE -DMY_LIBRARY -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB
CFLAGS = -pipe -fno-keep-inline-dllexport -O2 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security --noexecstack -Wall -Wextra $(DEFINES)
CXXFLAGS = -pipe -fno-keep-inline-dllexport -O2 -frtti -Wall -Wextra -fexceptions -mthreads $(DEFINES)
LINKER = g++
LFLAGS = -Wl,-s -shared -Wl,-subsystem,windows -mthreads -Wl,--out-implib,C:\libmylib0.a
noexecstack appears in the CLFAGS list but not sure if that's alright. CFLAGS is not the same as LDFLAGS. It doesn't seems to validate the command either since --thisdoesntexist seemed to go through as well when I tried.
Thank you in advance.
EDIT:
Based on Gwen's answer I tried adding QMAKE_LFLAGS += "-z noexecstack -z relro -z now" but this produced an error from ld.exe:
error: unrecognized option '-z'
EDIT2:
Tool versions:
C:\Qt\Qt5.5.0\Tools\mingw492_32\bin>ld.exe -v
GNU ld (GNU Binutils) 2.24
C:\Qt\Qt5.5.0\Tools\mingw492_32\bin>g++.exe --version
g++.exe (i686-posix-dwarf-rev1, Built by MinGW-W64 project) 4.9.2
