Add hardening flags to linux targets

[jjhelmus]

• Enable stack protection and immediate binding for all linux builds.
• Enable source fortification for optimized glibc targets.
• Enable stack-clash protection on aarch64/x86-64 linux targets.
• Validate these hardening properties in distributions using the validate-distribution command.

Control-flow and branch protection flags are not included.

On x86-64 -fcf-protection requires modern kernels, glibc and hardware (CET). Additionally, native extensions can fail to load when they are built without CET (which most are not) if the interpreter includes these protections.

On aarch64, -mbranch-protection is of limited use unless all objects include the necessary markers. This includes the CRT and compiler runtimes which come from the base image which pre-dates these features.

closes #837

[jjhelmus]

This improves the hardening check results:

PBS 20260623 on aarch64 Linux

# curl -SLO https://github.com/astral-sh/python-build-standalone/releases/download/20260623/cpython-3.14.6+20260623-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz
# tar xf cpython-3.14.6+20260623-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz
# hardening-check python/bin/python
python/bin/python:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: no, not found!
 Branch Protection: no, not found!

With these changes:

# tar xf cpython-3.14.6-aarch64-unknown-linux-gnu-pgo+lto-20260625T1336.tar.zst
# hardening-check python/install/bin/python
python/install/bin/python:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Branch Protection: no, not found!

Stack clash protection is enabled but the binary lacks allocation that would exercise this protection so in cannot be detected.
Control flow integrity and branch protection and intentionally not enabled as discussed above.

[jjhelmus]

Validation is failing with:

Error: errors found
  error: python/install/bin/python3.14 is not position-independent (ELF type is ET_EXEC)
Error: Process completed with exit code 1.

This is likely a false positive as the binary is PIE rather than PIC.

[jjhelmus]

Before merging this I was to examine the performance difference these flags introduce. I will not be able to get to this until next week at the earliest.