Re: F22 System Wide Change: Harden all packages with position-independent code

Moez Roy <moez.roy@xxxxxxxxx> · Wed, 7 Jan 2015 13:17:36 -0800

I originally made a request to rel-eng here:
https://fedorahosted.org/rel-eng/ticket/6049 -

Long running packages in F21 that 'MUST enable the PIE compiler flags'

Here https://fedoraproject.org/wiki/Packaging:Guidelines#PIE it says

If your package meets any of the following criteria you MUST enable
the PIE compiler flags: Your package is long running. This means it's
likely to be started and kept running until the machine is rebooted...

[root@localhost liveuser]# checksec --proc-all | grep "No PIE"
        Xorg.bin   1037 Partial RELRO     Canary found           NX
enabled    No PIE
   gnome-session   1227 Partial RELRO     Canary found           NX
enabled    No PIE
 at-spi-bus-laun   1300 Partial RELRO     Canary found           NX
enabled    No PIE
 at-spi2-registr   1308 Partial RELRO     Canary found           NX
enabled    No PIE
           gvfsd   1318 Partial RELRO     Canary found           NX
enabled    No PIE
      gvfsd-fuse   1322 Partial RELRO     Canary found           NX
enabled    No PIE
 gnome-settings-   1339 Partial RELRO     Canary found           NX
enabled    No PIE
 gnome-keyring-d   1344 Partial RELRO     Canary found           NX
enabled    No PIE
     gnome-shell   1455 Partial RELRO     Canary found           NX
enabled    No PIE
     gsd-printer   1486 Partial RELRO     Canary found           NX
enabled    No PIE
   dconf-service   1504 Partial RELRO     Canary found           NX
enabled    No PIE
 gnome-shell-cal   1514 Partial RELRO     Canary found           NX
enabled    No PIE
 evolution-sourc   1520 Partial RELRO     Canary found           NX
enabled    No PIE
      goa-daemon   1526 Partial RELRO     Canary found           NX
enabled    No PIE
     ibus-daemon   1530 Partial RELRO     Canary found           NX
enabled    No PIE
 mission-control   1534 Partial RELRO     Canary found           NX
enabled    No PIE
      ibus-dconf   1541 Partial RELRO     Canary found           NX
enabled    No PIE
        ibus-x11   1543 Partial RELRO     Canary found           NX
enabled    No PIE
         caribou   1571 Partial RELRO     Canary found           NX
enabled    No PIE
 gvfs-udisks2-vo   1586 Partial RELRO     Canary found           NX
enabled    No PIE
 gvfs-afc-volume   1594 Partial RELRO     Canary found           NX
enabled    No PIE
 gvfs-mtp-volume   1600 Partial RELRO     Canary found           NX
enabled    No PIE
 gvfs-gphoto2-vo   1605 Partial RELRO     Canary found           NX
enabled    No PIE
 gvfs-goa-volume   1610 Partial RELRO     Canary found           NX
enabled    No PIE
 evolution-alarm   1662 Partial RELRO     Canary found           NX
enabled    No PIE
 tracker-miner-a   1665 Partial RELRO     Canary found           NX
enabled    No PIE
   tracker-store   1670 Partial RELRO     Canary found           NX
enabled    No PIE
        seapplet   1671 Partial RELRO     Canary found           NX
enabled    No PIE
 tracker-extract   1676 Partial RELRO     Canary found           NX
enabled    No PIE
 tracker-miner-u   1680 Partial RELRO     Canary found           NX
enabled    No PIE
  gnome-software   1681 Partial RELRO     Canary found           NX
enabled    No PIE
 tracker-miner-f   1683 Partial RELRO     Canary found           NX
enabled    No PIE
 evolution-calen   1710 Partial RELRO     Canary found           NX
enabled    No PIE
 ibus-engine-sim   1740 Partial RELRO     No canary found        NX
enabled    No PIE
 gnome-terminal-   1870 Partial RELRO     Canary found           NX
enabled    No PIE
        gconfd-2   1876 Partial RELRO     Canary found           NX
enabled    No PIE
            bash   1879 Partial RELRO     Canary found           NX
enabled    No PIE
            bash   1910 Partial RELRO     Canary found           NX
enabled    No PIE
         firefox   5931 Partial RELRO     Canary found           NX
enabled    No PIE
  gvfsd-metadata   6054 Partial RELRO     Canary found           NX
enabled    No PIE
        oosplash   6140 Partial RELRO     Canary found           NX
enabled    No PIE
      gvfsd-burn   6166 Partial RELRO     Canary found           NX
enabled    No PIE
     soffice.bin   6227 Partial RELRO     No canary found        NX
enabled    No PIE
          evince   6278 Partial RELRO     Canary found           NX
enabled    No PIE
     gvfsd-trash   6296 Partial RELRO     Canary found           NX
enabled    No PIE
        nautilus   6319 Partial RELRO     Canary found           NX
enabled    No PIE
            bash   6339 Partial RELRO     Canary found           NX
enabled    No PIE
          python   6366 Partial RELRO     No canary found        NX
enabled    No PIE
      sedispatch    678 Partial RELRO     Canary found           NX
enabled    No PIE
       firewalld    722 Partial RELRO     No canary found        NX
enabled    No PIE
          mcelog    728 Partial RELRO     Canary found           NX
enabled    No PIE
            grep   8620 Partial RELRO     Canary found           NX
enabled    No PIE
[root@localhost liveuser]#

The above packages don't seem to have PIE enabled.

Can someone from releng enable hardening on as many "Long running
packages" as possible before the next F21 Release Candidate.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct