# B25 — CMakeLists / Linux.cmake: missing standard hardening flags

Bug ref      : always.md B.25 ; pharo.md §7
Severity     : HIGH (every memory bug in the audit is more exploitable than it needs to be)
Files        : CMakeLists.txt (~lines 206, 266-296), cmake/Linux.cmake (~line 1)

## Problem

The Linux/Unix release build does not set:

  - `-D_FORTIFY_SOURCE=2`           (libc fortified copies)
  - `-fstack-protector-strong`     (stack canaries)
  - `-fPIE -pie` (ELF position-independent executables → ASLR)
  - `-Wformat -Wformat-security`   (catches format-string bugs)
  - `-Wl,-z,relro -Wl,-z,now`      (relocation read-only at load)
  - `-Wl,-z,noexecstack`           (NX stack)

Every memory-corruption bug in the audit becomes meaningfully harder
to exploit when these are enabled. None are enabled by default.

## Fix

Add a hardening block to the Linux build config. Keep it Linux-only
to avoid breaking macOS/Windows that have their own conventions.

```diff
diff --git a/cmake/Linux.cmake b/cmake/Linux.cmake
index 0b6b9d7c4..76c74e902 100644
--- a/cmake/Linux.cmake
+++ b/cmake/Linux.cmake
@@ -1,4 +1,24 @@
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-rpath=.")
+
+# Hardening flags. Off by default; opt in with -DPHARO_HARDENED=ON to
+# avoid surprising any existing build that was tuned for the old flags.
+option(PHARO_HARDENED "Enable hardening flags for the Linux build" OFF)
+if(PHARO_HARDENED)
+    add_compile_options(
+        -D_FORTIFY_SOURCE=2
+        -fstack-protector-strong
+        -fPIE
+        -Wformat
+        -Wformat-security
+    )
+    add_link_options(
+        -pie
+        -Wl,-z,relro
+        -Wl,-z,now
+        -Wl,-z,noexecstack
+    )
+endif()
+
 set(PHARO_BIN_LOCATION "default" CACHE STRING "The default location of the PHARO bin, used by the launch.sh.in")
 
 if(${PHARO_BIN_LOCATION} STREQUAL "default")
```

## Test plan

- Build with these flags; verify success on a standard Ubuntu 22.04
  container.
- Inspect the resulting executable:
    - `checksec --file=pharo` should show:
        - RELRO: Full
        - Canary: Yes
        - NX: Yes
        - PIE: Yes
        - FORTIFY: Yes
- Run the existing test suite; no behavioural regressions expected.

## Risk notes

- `-fstack-protector-strong` adds canaries to functions with stack
  arrays or `alloca`; cost is small (one xor + one cmp per such
  function).
- `-fPIE -pie` produces position-independent executables; some
  ancient embedded targets do not support `-pie`. Guard with
  `try_compile` if portability requires.
- Sibling B26 (silenced warnings) and B28 (Windows hardening) belong
  with this PR conceptually but can be applied independently.