New hardened build support (coming) in F16

[Björn Persson]

Steve Grubb wrote:
> This is not the policy that I asked for.

Well, what Ajax described isn't a policy at all. It's a set of RPM macros 
designed to make it easier to follow the (soon to be) policy. RPM macros can't 
enforce the policy. Enforcement must be done elsewhere.

> When you make a PIE executable,
> you get ASLR which is good. But the way it does that is making a weakness
> in the executable for the relocations. It causes a new segment to be
> writable. So, you need full relro support when you do PIE to cover that
> new weakness.

As far as I can see that is what the new RPM macros do, provided that the 
configuration script supports both CFLAGS/CXXFLAGS/FFLAGS and LDFLAGS, or that 
the spec file inserts %{optflags} and %{__global_ldflags} in the right places. If 
you think the macros do something wrong, it might help if you point out where 
the error is.

> What we want is this:
> 1) Everything is compiled with partial relro. Libraries, executables,
> daemons, setuid/setgid/setcap apps.

Everything will be, if LDFLAGS or __global_ldflags is used correctly. The 
current policy already requires that "the applicable compiler flags set in the 
system rpm configuration" be honored. If we want to be pedantic we should 
perhaps change that to "compiler and linker flags".

> 2) Anything that is setgid/setuid/setcap/daemon also include the "now"
> flags and is PIE.

https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags 
mentions daemons, suid and capabilities, so you want to add setgid to that, 
correct?

Do you also mean that you want "should consider enabling" changed to "must 
enable"?

> 3) Anything that is parsing data from untrusted sources should also have
> full relro/pie. That would be things like tcpdump/wireshark/firefox/evince
> /file/netpbm etc.

I believe that's what the "FESCo list side" on 
https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags 
attempts to address. The etc is the hard part of course.

>  4) Anything that has pie, should should also have full relro, therefore we
> need to double check anything with PIE to make sure its really a good idea.

Detecting programs that have been built with PIE but without -z now is 
obviously beyond the scope of the _hardened_build macro, but your rpm-chksec 
sounds like a good tool.

> I sent an email to the fedora-test list last week announcing a program that
> can check any package or the whole distribution for compliance with this
> policy with the exception of rule #3 above. No idea how to make a heuristic
> for that. The program is located here:
> 
> http://people.redhat.com/sgrubb/files/rpm-chksec

Perhaps that could be invoked automatically each time a package is built, 
similarly to how /usr/lib/rpm/check-rpaths is used?

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110809/0bb0dba5/attachment.bin