So everything in Rawhide must be compiled with -fPIC?

[Richard Z]

On Fri, Feb 20, 2015 at 07:28:50PM +0000, Peter Robinson wrote:
> On Fri, Feb 20, 2015 at 6:55 PM, Till Maas <opensource at till.name> wrote:
> > On Fri, Feb 20, 2015 at 05:21:59PM +0000, Peter Robinson wrote:
> >> >> I've never argumented against the goal that web browser or all network aware
> >> >> services should be PIEs, after all, why would we (Ulrich Drepper and myself)
> >> >> add the PIE support into the toolchain otherwise?
> >> >> I'm just not convinced most of the unpriviledged programs should be PIEs.
> >> >
> >> > Thanks to e.g. e-mail about any program can be made to run untrusted
> >> > data, e.g. PDF readers, office suites, image viewers, if you open an
> >> > attachment of the respective type. Therefore it makes a sane default
> >> > IMHO. It is also something to attract users that care about security
> >> > very much to Fedora.
> >>
> >> So your saying here that this is miraculously going to stop people
> >> from running random binaries that are being emailed to them? Or is
> >> just going stop people from running random non PIC/PIE binaries? I
> >> don't buy that this is a miracle fix to that problem. How then does it
> >> affect other third party binaries not compiled with PIC/PIE that
> >> people might wish to run?
> >
> > No, am am saying I can open PDF documents knowing that I did what I
> > could to be secure when open it etc. Also I know that if recommend
> > people Fedora and give basic guidelines, that they are as good protected
> > as possible.
> 
> How is a PDF with a binary payload any different? Sounds like we need
> to be running pdf readers in a selinux container?

absolutely. All PDF, office, web browsers and similar should be pre-configured
to use sandboxing technology. 
The plain selinux sandbox also needs some work - right now you can even
read /etc/passwd* out of normal sandboxes!

https://bugzilla.redhat.com/show_bug.cgi?id=1165424


Richard

---
Name and OpenPGP keys available from pgp key servers