Steve Grubb wrote:
> This is not the policy that I asked for.
Well, what Ajax described isn't a policy at all. It's a set of RPM macros
designed to make it easier to follow the (soon to be) policy. RPM macros can't
enforce the policy. Enforcement must be done elsewhere.
> When you make a PIE executable,
> you get ASLR which is good. But the way it does that is making a weakness
> in the executable for the relocations. It causes a new segment to be
> writable. So, you need full relro support when you do PIE to cover that
> new weakness.
As far as I can see that is what the new RPM macros do, provided that the
configuration script supports both CFLAGS/CXXFLAGS/FFLAGS and LDFLAGS, or that
the spec file inserts %{optflags} and %{__global_ldflags} in the right places. If
you think the macros do something wrong, it might help if you point out where
the error is.
> What we want is this:
> 1) Everything is compiled with partial relro. Libraries, executables,
> daemons, setuid/setgid/setcap apps.
Everything will be, if LDFLAGS or __global_ldflags is used correctly. The
current policy already requires that "the applicable compiler flags set in the
system rpm configuration" be honored. If we want to be pedantic we should
perhaps change that to "compiler and linker flags".
> 2) Anything that is setgid/setuid/setcap/daemon also include the "now"
> flags and is PIE.
https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags
mentions daemons, suid and capabilities, so you want to add setgid to that,
correct?
Do you also mean that you want "should consider enabling" changed to "must
enable"?
> 3) Anything that is parsing data from untrusted sources should also have
> full relro/pie. That would be things like tcpdump/wireshark/firefox/evince
> /file/netpbm etc.
I believe that's what the "FESCo list side" on
https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags
attempts to address. The etc is the hard part of course.
> 4) Anything that has pie, should should also have full relro, therefore we
> need to double check anything with PIE to make sure its really a good idea.
Detecting programs that have been built with PIE but without -z now is
obviously beyond the scope of the _hardened_build macro, but your rpm-chksec
sounds like a good tool.
> I sent an email to the fedora-test list last week announcing a program that
> can check any package or the whole distribution for compliance with this
> policy with the exception of rule #3 above. No idea how to make a heuristic
> for that. The program is located here:
>
> http://people.redhat.com/sgrubb/files/rpm-chksec
Perhaps that could be invoked automatically each time a package is built,
similarly to how /usr/lib/rpm/check-rpaths is used?
Björn Persson
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
