Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 31, 2013 at 01:09:36AM +0100, Kevin Kofler wrote:
> Dhiru Kholia wrote:
> > Any feedback is welcome!
> 
> My proposal: build ALL packages in Fedora with not only -fPIE and RELRO, but 
> also -fstack-protector-all (which is not included in the current hardened 
> cflags). Also get rid of prelink which reduces the effectiveness of ASLR. 
> Then drop SELinux which becomes obsolete if the executables cannot be 
> exploited in the first place. (It only papers over the real problem.)

I know you're trolling here, but there are some misconceptions that
should be corrected:

(1) -fstack-protector{,-all} doesn't implement full bounds checking
for every C object.

(2) SELinux controls what labelled resources a process can access.
This covers far more than buffer overflows in C programs.  It covers
other programming languages, design flaws and implementation 'thinko's
of all sorts.  I would argue (separate from this) that it's good to
define precisely what resources a program can access, rather than the
default "access just about everything".

However prelink does reduce the effectiveness of ASLR (a bit).  See
http://lwn.net/Articles/341440/ and follow-up conversation.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux