Expanding the list of "Hardened Packages"
Paolo Bonzini
pbonzini at redhat.com
Thu Apr 4 07:39:18 UTC 2013
Il 04/04/2013 04:05, Josh Bressers ha scritto:
>
>
>
> On Wed, Apr 3, 2013 at 2:05 PM, Steve Grubb <sgrubb at redhat.com
> <mailto:sgrubb at redhat.com>> wrote:
>
> On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> > On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb <sgrubb at redhat.com
> <mailto:sgrubb at redhat.com>> wrote:
> > > On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> > > > "_hardened_build" rpm spec macro can be used to harden a package.
> > > >
> > > > For an example, see
> > > > http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec
> > >
> > > This flag is overly aggressive. We have a list of programs that
> need PIE
> > > enabled and doing more isn't necessarily constructive.
> >
> > Why exactly it "isn't necessarily constructive"? If you have hard
> data,
> > please share :)
>
> Because PIE is only supposed to be on long running apps and setuid
> apps. If
> its on everything, it will slow the system down too much and then
> you have the
> knee jerk reaction to remove it from anything. We want it applied
> when needed
> and otherwise not.
>
>
> How much does it slow things down? I'm fairly certain you don't have any
> good data on this point. Dhiru is working out how to best figure out FWIW.
>
> I'm willing to agree that PIE on x86 is going to be very slow due to
> register pressure.
Yes, but not on x86-64 which has %rip-relative addressing. It is
probably a wash there.
Also, it is not really _that_ slow. The same register pressure issue
exists with PIC. It was that bad, we would have problems for all the
code we run from shared libraries.
Paolo
> However, we should consider revisiting what we want
> built as PIE. Is Firefox a long running process? It is on my system.
> Revisiting our current list and trying to understand our needs is never
> a bad thing to do. Existing architectures are different now than they
> were when that list was created, no harm comes from talking about it.
>
> --
> JB
>
>
More information about the devel
mailing list