From 82b25917c2291b896f39edfa1322d9e7d4eb8215 Mon Sep 17 00:00:00 2001
From: Jonathan Helmus <jjhelmus@gmail.com>
Date: Fri, 27 Mar 2026 16:18:27 -0500
Subject: [PATCH] include noexecstack hardening flag on Linux

Mark the stack memory as non-executable using the
'-Wl,-z,noexecstack' flag on aarch64 and x86_64 linux platforms.

Other linux targets are cross-compiled, this flag is left off for the
time being.

closes #1061
---
 cpython-unix/targets.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml
index 36c59c2c3..50ffbf308 100644
--- a/cpython-unix/targets.yml
+++ b/cpython-unix/targets.yml
@@ -136,6 +136,9 @@ aarch64-unknown-linux-gnu:
     - '-mno-omit-leaf-frame-pointer'
     # Needed to prevent BOLT from crashing.
     - '-fdebug-default-version=4'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -575,6 +578,9 @@ x86_64-unknown-linux-gnu:
     - '-mno-omit-leaf-frame-pointer'
     # Needed to prevent BOLT from crashing.
     - '-fdebug-default-version=4'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -625,6 +631,9 @@ x86_64_v2-unknown-linux-gnu:
     - '-mno-omit-leaf-frame-pointer'
     # Needed to prevent BOLT from crashing.
     - '-fdebug-default-version=4'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -675,6 +684,9 @@ x86_64_v3-unknown-linux-gnu:
     - '-mno-omit-leaf-frame-pointer'
     # Needed to prevent BOLT from crashing.
     - '-fdebug-default-version=4'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -725,6 +737,9 @@ x86_64_v4-unknown-linux-gnu:
     - '-mno-omit-leaf-frame-pointer'
     # Needed to prevent BOLT from crashing.
     - '-fdebug-default-version=4'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -772,6 +787,9 @@ x86_64-unknown-linux-musl:
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -820,6 +838,9 @@ x86_64_v2-unknown-linux-musl:
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -868,6 +889,9 @@ x86_64_v3-unknown-linux-musl:
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -916,6 +940,9 @@ x86_64_v4-unknown-linux-musl:
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb
@@ -967,6 +994,9 @@ aarch64-unknown-linux-musl:
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
+  target_ldflags:
+    # Hardening
+    - '-Wl,-z,noexecstack'
   needs:
     - autoconf
     - bdb