From a0ece6c97091445921c6265ea05d628bef05c99f Mon Sep 17 00:00:00 2001 From: Otto Urpelainen Date: Sep 30 2021 16:28:29 +0000 Subject: Update PIE section Guidelines for Position Independent Executables gave the impression that PIE is opt-in. This has not been true since Harden All Packages change happened in Fedora 23. To match the fact that PIE is the default, the guidelies are updated to discuss the opt-out instead of opt-in. --- diff --git a/guidelines/modules/ROOT/pages/index.adoc b/guidelines/modules/ROOT/pages/index.adoc index dc0585c..e59e47a 100644 --- a/guidelines/modules/ROOT/pages/index.adoc +++ b/guidelines/modules/ROOT/pages/index.adoc @@ -1121,15 +1121,15 @@ There are certain, security related flags that are commonly allowed. These flags PIE adds security to executables by composing them entirely of position-independent code. Position-independent code (PIC) is machine instruction code that executes properly regardless of where in memory it resides. PIE allows Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during a security attack using exploits that rely on knowing the offset of the executable code in the binary, such as return-to-libc attacks. -To use this in your spec, add: +In Fedora, PIE is enabled by default. To disable it in your +spec, add: .... -%global _hardened_build 1 +%undefine _hardened_build .... -This adds `+-fPIC+` (if `+-fPIE+` is not already present) to the compiler flags, and adds `+-z now+` to the linker flags. - -If your package meets any of the following criteria you MUST enable the PIE compiler flags: +If your package meets any of the following criteria you +MUST NOT disable the PIE compiler flags: * Your package is long running. This means it's likely to be started and keep running until the machine is rebooted, not start on demand and quit on idle. @@ -1137,18 +1137,6 @@ If your package meets any of the following criteria you MUST enable the PIE comp * Your package runs as root. -If your package meets the following criteria you should consider enabling the PIE compiler flags: - -* Your package accepts/processes untrusted input. - -FESCo maintains a https://fedoraproject.org/wiki/Hardened_Packages[list of packages] that MUST have PIE turned on. Other packages may enable the flags at the maintainer's discretion. - -There are some notable disadvantages to enabling PIE that should be considered in making the decision: - -* Some code does not compile with PIE (or does not function properly). - -* You can not use prelink on PIE enabled binaries, resulting in a slower startup time. - == Debuginfo packages Packages should produce useful `+-debuginfo+` packages, or explicitly disable them when it is not possible to generate a useful one but rpmbuild would do it anyway. Whenever a `+-debuginfo+` package is explicitly disabled, an explanation why it was done is required in the specfile. Debuginfo packages are discussed in more detail in a separate document, xref:Debuginfo.adoc[Packaging:Debuginfo].