#6049: Long running packages in F21 that 'MUST enable the PIE compiler flags'
by Fedora Release Engineering
#6049: Long running packages in F21 that 'MUST enable the PIE compiler flags'
-----------------------------+------------------------
Reporter: moezroy | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 20 Final | Component: git
Keywords: | Blocked By:
Blocking: |
-----------------------------+------------------------
Here https://fedoraproject.org/wiki/Packaging:Guidelines#PIE it says
If your package meets any of the following criteria you MUST enable the
PIE compiler flags:
Your package is long running. This means it's likely to be started and
kept running until the machine is rebooted...
{{{
[root@localhost liveuser]# checksec --proc-all | grep "No PIE"
Xorg.bin 1037 Partial RELRO Canary found NX
enabled No PIE
gnome-session 1227 Partial RELRO Canary found NX
enabled No PIE
at-spi-bus-laun 1300 Partial RELRO Canary found NX
enabled No PIE
at-spi2-registr 1308 Partial RELRO Canary found NX
enabled No PIE
gvfsd 1318 Partial RELRO Canary found NX
enabled No PIE
gvfsd-fuse 1322 Partial RELRO Canary found NX
enabled No PIE
gnome-settings- 1339 Partial RELRO Canary found NX
enabled No PIE
gnome-keyring-d 1344 Partial RELRO Canary found NX
enabled No PIE
gnome-shell 1455 Partial RELRO Canary found NX
enabled No PIE
gsd-printer 1486 Partial RELRO Canary found NX
enabled No PIE
dconf-service 1504 Partial RELRO Canary found NX
enabled No PIE
gnome-shell-cal 1514 Partial RELRO Canary found NX
enabled No PIE
evolution-sourc 1520 Partial RELRO Canary found NX
enabled No PIE
goa-daemon 1526 Partial RELRO Canary found NX
enabled No PIE
ibus-daemon 1530 Partial RELRO Canary found NX
enabled No PIE
mission-control 1534 Partial RELRO Canary found NX
enabled No PIE
ibus-dconf 1541 Partial RELRO Canary found NX
enabled No PIE
ibus-x11 1543 Partial RELRO Canary found NX
enabled No PIE
caribou 1571 Partial RELRO Canary found NX
enabled No PIE
gvfs-udisks2-vo 1586 Partial RELRO Canary found NX
enabled No PIE
gvfs-afc-volume 1594 Partial RELRO Canary found NX
enabled No PIE
gvfs-mtp-volume 1600 Partial RELRO Canary found NX
enabled No PIE
gvfs-gphoto2-vo 1605 Partial RELRO Canary found NX
enabled No PIE
gvfs-goa-volume 1610 Partial RELRO Canary found NX
enabled No PIE
evolution-alarm 1662 Partial RELRO Canary found NX
enabled No PIE
tracker-miner-a 1665 Partial RELRO Canary found NX
enabled No PIE
tracker-store 1670 Partial RELRO Canary found NX
enabled No PIE
seapplet 1671 Partial RELRO Canary found NX
enabled No PIE
tracker-extract 1676 Partial RELRO Canary found NX
enabled No PIE
tracker-miner-u 1680 Partial RELRO Canary found NX
enabled No PIE
gnome-software 1681 Partial RELRO Canary found NX
enabled No PIE
tracker-miner-f 1683 Partial RELRO Canary found NX
enabled No PIE
evolution-calen 1710 Partial RELRO Canary found NX
enabled No PIE
ibus-engine-sim 1740 Partial RELRO No canary found NX
enabled No PIE
gnome-terminal- 1870 Partial RELRO Canary found NX
enabled No PIE
gconfd-2 1876 Partial RELRO Canary found NX
enabled No PIE
bash 1879 Partial RELRO Canary found NX
enabled No PIE
bash 1910 Partial RELRO Canary found NX
enabled No PIE
firefox 5931 Partial RELRO Canary found NX
enabled No PIE
gvfsd-metadata 6054 Partial RELRO Canary found NX
enabled No PIE
oosplash 6140 Partial RELRO Canary found NX
enabled No PIE
gvfsd-burn 6166 Partial RELRO Canary found NX
enabled No PIE
soffice.bin 6227 Partial RELRO No canary found NX
enabled No PIE
evince 6278 Partial RELRO Canary found NX
enabled No PIE
gvfsd-trash 6296 Partial RELRO Canary found NX
enabled No PIE
nautilus 6319 Partial RELRO Canary found NX
enabled No PIE
bash 6339 Partial RELRO Canary found NX
enabled No PIE
python 6366 Partial RELRO No canary found NX
enabled No PIE
sedispatch 678 Partial RELRO Canary found NX
enabled No PIE
firewalld 722 Partial RELRO No canary found NX
enabled No PIE
mcelog 728 Partial RELRO Canary found NX
enabled No PIE
grep 8620 Partial RELRO Canary found NX
enabled No PIE
[root@localhost liveuser]#
}}}
The above packages don't seem to have PIE enabled.
Can someone from releng enable hardening on as many "Long running
packages" as possible before the next F21 Release Candidate.
I am thinking probably a script that adds "%global _hardened_build 1" to
the start of the spec file?
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/6049>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project