Harden all packages with position-independent code
Harden all packages with position-independent code to limit the damage from certain security vulnerabilities. You can compare the security by running the following as root:
yum install checksec checksec --proc-all
- Targeted release:
Fedora 22Fedora 23
- Last updated: 2015-02-12
- Tracker bug: Build failures tracker bug
Currently, the Packaging Guidelines allow maintainers to decide whether their packages use position-independent code (PIC). There are rules that say that a lot of packages should use PIC, but in reality a lot of packages do not use PIC even if they must. Also since a lot of packages if not all potentially process untrusted input, it makes sense for these packages to use PIC to enhance the security of Fedora. Therefore I propose to build all packages with PIC by changing RPM to use the appropriate flags by default.
Implementation (done): Change line 130 in redhat-rpm-config macros from #_hardened_build 0 to %_hardened_build 1
- https://fedorahosted.org/fesco/ticket/1113 (older attempt with many references)
- There should be several mails about this on the devel list
- Build failures tracker bug
Detailed Harden Flags Description
+ -z now
Benefit to Fedora
Packages in Fedora will be more secure than in other distributions or packages provided by upstream. Therefore our users less likely become victims of attacks. Fedora will use more state-of-the-art security mechanisms to fulfill its first and features foundations.
- Proposal owners:
Help writing the new packaging guidelines.
- Other developers:
Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set _hardened_package to 1 by default). Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1192183
- Release engineering:
Do a mass rebuild for all arch packages
- Policies and guidelines:
Adjust the Packaging Guidelines to allow non-PIC packages only if the package is not working otherwise and require a tracker bug similar to packages not working on certain archs. Update the Guidelines to reflect the new defaults.
This should not cause problems with upgrades.
How To Test
- Running checksec should always report only
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
otherwise a tracking bug should exist for the respective packages. All packages need to be tested as usual for normal behaviour.
Fedora users might notice less sucessful attacks on their systems.
The rpm macros for Fedora need to be adjusted. Prelink might be retired.
- Contingency mechanism: Rebuild packages only that do not work because of this without PIC.
- More Details: Rel-Eng will add '%undefine _hardened_build' to the top of the spec file for packages that fail to build.
- Contingency deadline: beta freeze
- Blocks release? No
The current packaging guidelines can be consulted.
Fedora now hardens as much packages as possible with position-independent code to reduce the impact of certain potential security vulnerabilities.