Expanding the list of "Hardened Packages"
Richard W.M. Jones
rjones at redhat.com
Fri Mar 29 22:10:40 UTC 2013
On Fri, Mar 29, 2013 at 05:13:33PM +0000, Richard W.M. Jones wrote:
> On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> > Hi,
> >
> > This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
> >
> > (mitr asked me to move the discussion to fedora-devel to get more
> > attention and feedback)
> >
> > ...
> >
> > http://fedoraproject.org/wiki/Hardened_Packages page mentions
> > that "FESCo requires some packages to use PIE and relro hardening by
> > default."
> >
> > It would be great if this list could be expanded to include even more
> > packages which are at comparatively more risk of being exploited (locally
> > or remotely).
> >
> > Such packages will typically include various system daemons, network
> > daemons and network enabled applications.
>
> Qemu is surely a good candidate for this. Although it's not network-
> accessible, it is accessible from the guests that it runs via its huge
> and ill-specified surface of emulated devices.
I'm running my own modified qemu package [qemu-1.4.0-5.fc20.x86_64]
with hardening flags enabled. It seems to be working OK so far ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the devel
mailing list