On Fri, Mar 29, 2013 at 05:13:33PM +0000, Richard W.M. Jones wrote:
On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> Hi,
>
> This proposal was originally at
https://fedorahosted.org/fesco/ticket/1104
>
> (mitr asked me to move the discussion to fedora-devel to get more
> attention and feedback)
>
> ...
>
>
http://fedoraproject.org/wiki/Hardened_Packages page mentions
> that "FESCo requires some packages to use PIE and relro hardening by
> default."
>
> It would be great if this list could be expanded to include even more
> packages which are at comparatively more risk of being exploited (locally
> or remotely).
>
> Such packages will typically include various system daemons, network
> daemons and network enabled applications.
Qemu is surely a good candidate for this. Although it's not network-
accessible, it is accessible from the guests that it runs via its huge
and ill-specified surface of emulated devices.
I'm running my own modified qemu package [qemu-1.4.0-5.fc20.x86_64]
with hardening flags enabled. It seems to be working OK so far ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org