Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/29/2013 09:38 AM, Dhiru Kholia wrote:

> Lot of network daemons are already using PIE and RELRO (e.g. httpd,
> MariaDB). So a natural question is why packages in same "network
> daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
> hardened?
> Some of the ways to implement this proposal are,
> 
> 1. Hardening flags should be turned on (by default) for all packages
> which are at comparatively more risk of being exploited or which meet
> some well-defined criteria (suggestions welcome).
> 
> "Packaging Guidelines" say that "Other packages may enable the flags at
> the maintainer's discretion."
> 
> Thinking from a security perspective, I find "Hardening flags can only
> be disabled for other packages at the maintainer's discretion provided
> enough justification is given to FESCo" to be more appropriate.

-fPIE code is larger and takes longer to execute.  The cost varies from
minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686.
-fPIE for Thumb mode on ARM is particularly painful.

RELRO can cost one extra page of physical RAM per process because the placement
of the RELRO region tends to increase fragmentation and decrease sharability.

I suggest that any requirement for increased hardening be restricted to only
those programs which execute with elevated privileges.  The package maintainer
should retain primary discretion for anything which executes with "ordinary"
user privileges.

-- 
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux