Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Sun, Mar 31, 2013 at 5:11 PM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
On Sun, Mar 31, 2013 at 01:09:36AM +0100, Kevin Kofler wrote:
> Dhiru Kholia wrote:
> > Any feedback is welcome!
>
> My proposal: build ALL packages in Fedora with not only -fPIE and RELRO, but
> also -fstack-protector-all (which is not included in the current hardened
> cflags). Also get rid of prelink which reduces the effectiveness of ASLR.
> Then drop SELinux which becomes obsolete if the executables cannot be
> exploited in the first place. (It only papers over the real problem.)

I know you're trolling here, but there are some misconceptions that
should be corrected:

(1) -fstack-protector{,-all} doesn't implement full bounds checking
for every C object.

(2) SELinux controls what labelled resources a process can access.
This covers far more than buffer overflows in C programs.  It covers
other programming languages, design flaws and implementation 'thinko's
of all sorts.  I would argue (separate from this) that it's good to
define precisely what resources a program can access, rather than the
default "access just about everything".

However prelink does reduce the effectiveness of ASLR (a bit).  See
http://lwn.net/Articles/341440/ and follow-up conversation.

Probably something had changed in the last years. I have posted the same question, or related, some time ago
http://www.redhat.com/archives/rhl-devel-list/2009-July/msg00674.html
 

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux