Expanding the list of "Hardened Packages"
Steve Grubb
sgrubb at redhat.com
Tue Apr 2 19:57:35 UTC 2013
On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> On Fri, Mar 29, 2013 at 10:43 PM, Richard W.M. Jones <rjones at redhat.com>
wrote:
> > On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> > > 1. Hardening flags should be turned on (by default) for all packages
> > > which are at comparatively more risk of being exploited or which meet
> > > some well-defined criteria (suggestions welcome).
> >
> > Is there somewhere which describes what to do / what flags to enable?
>
> http://wiki.debian.org/Hardening describes the various hardening flags.
>
> "_hardened_build" rpm spec macro can be used to harden a package.
>
> For an example, see
> http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec
This flag is overly aggressive. We have a list of programs that need PIE
enabled and doing more isn't necessarily constructive.
What would be nice is if the autotools got some macros to detect PIE and RELRO
support in gcc so that its easy to add to CFLAGS and LDFLAGS so that it can be
applied more precisely.
-Steve
More information about the devel
mailing list