Disable CET compatibility setting on apphost when CetCompat property is set to false

[elinor-fung]

dotnet/runtime#103007 switched apphost/singlefilehost to enable CET shadow stack compatibility by default, with an option to disable it in HostWriter.CreateAppHost. This change updates the SDK to disable CET compat if the project sets <CetCompat>false</CetCompat>.

cc @dotnet/appmodel @AaronRobinsonMSFT @janvorli @mangod9

[agocke]

LGTM, thanks!

[joeloff]

Q: I noticed this is targeting Windows/EXE. Is it possible to produce a CET compatible library which is then linked into an application or is this something that's enabled for the running application as a whole? I'm asking because it seems this is controlled by a bit in the PE header so presumably you can set this for some, none or all DLLs your application consumes.

[janvorli]

Q: I noticed this is targeting Windows/EXE. Is it possible to produce a CET compatible library which is then linked into an application or is this something that's enabled for the running application as a whole? I'm asking because it seems this is controlled by a bit in the PE header so presumably you can set this for some, none or all DLLs your application consumes

@joeloff if a CET is enabled in a process, it needs to be so from the very beginning of the process runtime. The OS needs to create a shadow stack that is used to store return addresses in parallel to the regular stack at the process startup. DLLs can also be marked as CET compatible. There is a policy that can be set system-wide or per process that determines whether a process that runs with CET enabled can load all DLLs or only the ones with the CET compatibility flag set and containing EHCONT data.