Expanding the list of "Hardened Packages"
Steve Grubb
sgrubb at redhat.com
Wed Apr 3 19:05:21 UTC 2013
On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> > > "_hardened_build" rpm spec macro can be used to harden a package.
> > >
> > > For an example, see
> > > http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec
> >
> > This flag is overly aggressive. We have a list of programs that need PIE
> > enabled and doing more isn't necessarily constructive.
>
> Why exactly it "isn't necessarily constructive"? If you have hard data,
> please share :)
Because PIE is only supposed to be on long running apps and setuid apps. If
its on everything, it will slow the system down too much and then you have the
knee jerk reaction to remove it from anything. We want it applied when needed
and otherwise not.
Also, the hardened macros adds the "now" directive to the linker. This is
needed for PIE apps since there is a table for the indirection, but this also
adds additional slowdown to startup. Jakub mentioned pretty much the same
thing, too much PIE is not a good thing.
What we want is a balance between fast and secure. That is how the rpm-chksec
script is written. Its coded to grade the distribution based on this
philosophy.
-Steve
More information about the devel
mailing list