build: prevent the toolchain from emitting an executable stack

[edsiper]

Fixes #10513

Prevent the toolchain from emitting an executable stack, which triggers kernel warnings (e.g. "started with executable stack") and weakens security hardening.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Chores
  • Improved binary security on Linux builds by enabling non-executable stack protection for executables and shared libraries.
  • Change applies only to non-Windows build paths; Windows/MSVC behavior is unchanged.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds Linux-specific assembler and linker flags to disable executable stacks for executables and shared libraries in the non-MSVC build path via CMake.

Changes

Cohort / File(s)	Summary
Security hardening CMakeLists.txt	On Linux (CMAKE_SYSTEM_NAME == "Linux"), add compile flag -Wa,--noexecstack and linker flags -Wl,-z,noexecstack to CMAKE_EXE_LINKER_FLAGS and CMAKE_SHARED_LINKER_FLAGS for non-MSVC builds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check that the flags are only applied on Linux and do not affect MSVC or other platforms.
• Verify no duplicate linker flag entries or ordering issues with existing linker flags.

Suggested reviewers

• patrick-stephens
• niedbalski
• fujimotos

Poem

🐇 With tiny paws I tweak the stack,
I tuck the bytes where bugs can't sneak,
No jumps, no flights, the flags align,
A safer build, snug and fine.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: preventing executable stack emission by the toolchain, which directly corresponds to the CMakeLists.txt modifications adding noexecstack flags.
Linked Issues check	✅ Passed	The PR adds noexecstack flags to all Linux builds (not just release), directly addressing issue #10513's requirement that non-executable stack enforcement not be limited to release builds.
Out of Scope Changes check	✅ Passed	The changes are limited to adding Linux-specific executable stack protection flags in CMakeLists.txt, which is directly in scope with the linked issue's objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch build-no-exec-stack

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64c6483 and 8912cdb.

📒 Files selected for processing (1)

• CMakeLists.txt (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• CMakeLists.txt

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
• GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
• GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
• GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
• GitHub Check: pr-compile-without-cxx (3.31.6)
• GitHub Check: pr-compile-centos-7

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard noexecstack flags for non-ELF platforms

The new linker flags -Wl,-z,noexecstack are applied unconditionally for all non-MSVC builds, but Darwin’s ld64 (and other non-ELF linkers) reject -z options, causing the build to fail on macOS and similar targets. These flags should be conditioned on ELF toolchains or excluded for Apple builds to avoid breaking supported platforms.

Useful? React with 👍 / 👎.

[patrick-stephens]

@edsiper think it needs to be conditional for only the platforms that support it, don't think macOS does. Need to double check the older compilers as well