Expanding the list of "Hardened Packages"
Paul Wouters
pwouters at redhat.com
Wed Apr 3 15:19:24 UTC 2013
On Wed, 3 Apr 2013, Miloslav Trmač wrote:
> On Wed, Apr 3, 2013 at 12:18 AM, Adam Williamson <awilliam at redhat.com> wrote:
> On 31/03/13 08:11 AM, Richard W.M. Jones wrote:
>
> However prelink does reduce the effectiveness of ASLR (a bit). See
> http://lwn.net/Articles/341440/ and follow-up conversation.
>
> Ignoring the silly stuff, it does seem that this is Yet Another Reason Prelink Is Bad
>
> Is it? The linked comment says the opposite: prelink might interfere with ASLR, but for most programs it doesn't make a difference.
> Even the latter discussion about local attackers doesn't really apply when any PIE executable automatically means prelink is ignored
> both for the executable and for any used shared libraries, as Jakub said.
To me, prelink is still evil for breaking FIPS. I've requested a few times
that prelink plays nicer with FIPS mode, like running prelink -ua during
bootup when FIPS mode is on. And running prelink -ua when the prelink
package is uninstalled. Neither trivial solutions are implemented in
the package.
The only argument in favour of prelink is speed. People selecting FIPS
have clearly made the decision to favour extra security over speed.
I'm strongly in favour of getting rid of it completely, and letting
Moore's Law do its job.
Paul
More information about the devel
mailing list