#6049 Long running packages in F21 that 'MUST enable the PIE compiler flags'
Closed: Duplicate None Opened 5 years ago by moezroy.

Here https://fedoraproject.org/wiki/Packaging:Guidelines#PIE it says

If your package meets any of the following criteria you MUST enable the PIE compiler flags:
Your package is long running. This means it's likely to be started and kept running until the machine is rebooted...

{{{
[root@localhost liveuser]# checksec --proc-all | grep "No PIE"
Xorg.bin 1037 Partial RELRO Canary found NX enabled No PIE
gnome-session 1227 Partial RELRO Canary found NX enabled No PIE
at-spi-bus-laun 1300 Partial RELRO Canary found NX enabled No PIE
at-spi2-registr 1308 Partial RELRO Canary found NX enabled No PIE
gvfsd 1318 Partial RELRO Canary found NX enabled No PIE
gvfsd-fuse 1322 Partial RELRO Canary found NX enabled No PIE
gnome-settings- 1339 Partial RELRO Canary found NX enabled No PIE
gnome-keyring-d 1344 Partial RELRO Canary found NX enabled No PIE
gnome-shell 1455 Partial RELRO Canary found NX enabled No PIE
gsd-printer 1486 Partial RELRO Canary found NX enabled No PIE
dconf-service 1504 Partial RELRO Canary found NX enabled No PIE
gnome-shell-cal 1514 Partial RELRO Canary found NX enabled No PIE
evolution-sourc 1520 Partial RELRO Canary found NX enabled No PIE
goa-daemon 1526 Partial RELRO Canary found NX enabled No PIE
ibus-daemon 1530 Partial RELRO Canary found NX enabled No PIE
mission-control 1534 Partial RELRO Canary found NX enabled No PIE
ibus-dconf 1541 Partial RELRO Canary found NX enabled No PIE
ibus-x11 1543 Partial RELRO Canary found NX enabled No PIE
caribou 1571 Partial RELRO Canary found NX enabled No PIE
gvfs-udisks2-vo 1586 Partial RELRO Canary found NX enabled No PIE
gvfs-afc-volume 1594 Partial RELRO Canary found NX enabled No PIE
gvfs-mtp-volume 1600 Partial RELRO Canary found NX enabled No PIE
gvfs-gphoto2-vo 1605 Partial RELRO Canary found NX enabled No PIE
gvfs-goa-volume 1610 Partial RELRO Canary found NX enabled No PIE
evolution-alarm 1662 Partial RELRO Canary found NX enabled No PIE
tracker-miner-a 1665 Partial RELRO Canary found NX enabled No PIE
tracker-store 1670 Partial RELRO Canary found NX enabled No PIE
seapplet 1671 Partial RELRO Canary found NX enabled No PIE
tracker-extract 1676 Partial RELRO Canary found NX enabled No PIE
tracker-miner-u 1680 Partial RELRO Canary found NX enabled No PIE
gnome-software 1681 Partial RELRO Canary found NX enabled No PIE
tracker-miner-f 1683 Partial RELRO Canary found NX enabled No PIE
evolution-calen 1710 Partial RELRO Canary found NX enabled No PIE
ibus-engine-sim 1740 Partial RELRO No canary found NX enabled No PIE
gnome-terminal- 1870 Partial RELRO Canary found NX enabled No PIE
gconfd-2 1876 Partial RELRO Canary found NX enabled No PIE
bash 1879 Partial RELRO Canary found NX enabled No PIE
bash 1910 Partial RELRO Canary found NX enabled No PIE
firefox 5931 Partial RELRO Canary found NX enabled No PIE
gvfsd-metadata 6054 Partial RELRO Canary found NX enabled No PIE
oosplash 6140 Partial RELRO Canary found NX enabled No PIE
gvfsd-burn 6166 Partial RELRO Canary found NX enabled No PIE
soffice.bin 6227 Partial RELRO No canary found NX enabled No PIE
evince 6278 Partial RELRO Canary found NX enabled No PIE
gvfsd-trash 6296 Partial RELRO Canary found NX enabled No PIE
nautilus 6319 Partial RELRO Canary found NX enabled No PIE
bash 6339 Partial RELRO Canary found NX enabled No PIE
python 6366 Partial RELRO No canary found NX enabled No PIE
sedispatch 678 Partial RELRO Canary found NX enabled No PIE
firewalld 722 Partial RELRO No canary found NX enabled No PIE
mcelog 728 Partial RELRO Canary found NX enabled No PIE
grep 8620 Partial RELRO Canary found NX enabled No PIE
[root@localhost liveuser]#
}}}

The above packages don't seem to have PIE enabled.

Can someone from releng enable hardening on as many "Long running packages" as possible before the next F21 Release Candidate.

I am thinking probably a script that adds "%global _hardened_build 1" to the start of the spec file?


It is really too late in the Fedora 21 cycle for this kind of change. we should look at doing something for Fedora 22/rawhide at this point in time.

I'd also argue this isn't a releng task, but something for FESCo and delegates, it's their policy after all.

Replying to [comment:2 rdieter]:

I'd also argue this isn't a releng task, but something for FESCo and delegates, it's their policy after all.

I agree.

I created a change proposal for this:
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code

If someone wants to back this up or help, please add yourself to the proposal owners. There is nothing more to do here in rel-eng afaics.

Metadata Update from @moezroy:
- Issue set to the milestone: Fedora 20 Final

2 years ago

Login to comment on this ticket.

Metadata