F22 System Wide Change: Harden all packages with position-independent code
Miloslav Trmač
mitr at redhat.com
Mon Jan 12 20:45:06 UTC 2015
> That said, even on x86_64 it isn't anything close to no overhead.
> Tried last night to rebuild GCC's cc1plus as -fpie -pie, and then
> rebuild stage3 of GCC with make -j1 separately with the original stage3
> cc1plus (ET_EXEC binary) and PIE cc1plus (ET_DYN). The build (which
> included still time for various other tools being not PIE, make, ld, as)
> got 2.1% slower user time.
Thanks, this would probably be the first significant example of a really affected program:
( https://fedorahosted.org/fesco/ticket/1113#comment:9 )
1. Built in the distribution
2. CPU-bound (or CPU-limited in the primary performance metric)
3. Not required use PIE already (= not running as root, not a daemon)
4. (added): Not having the CPU-bound part in a shared library, like firefox or libreoffice¹ do.
How many other such programs are there?
If all we are talking about is increased program build times, that is IMHO _well_ worth the security mitigations.
Mirek
¹ (Both Firefox and LibreOffice are disqualified through 3. anyway.)
More information about the devel
mailing list