In the last week I've been trying to figure out how many packages conform to the new Harden All Packages policy in Fedora!
From 46884 RPMs, 17385 are 'x86_64' meaning they may contain ELF objects.
From them 4489 are reported as failed checksec.
What you should see as the output from checksec is
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
Full RELRO Canary found NX enabled DSO No RPATH No RUNPATH
The first line is for binaries, the second one for libraries b/c
DSOs on x86_64 are always position-independent. Some RPATHs are acceptable,
e.g. %{_libdir}/foo/ and I've tried to exclude them unless
other offenses are found. The script which does this is
checksec-collect.
Most often I'm seeing Partial RELRO, No canary found and No PIE errors. Since all packages potentially process untrusted input, it makes sense for all of them to be hardened and enhance the security of Fedora. That's why all of these errors should be considered valid bugs.
Attn package maintainers
Please see if your package is in the list and try to fix it or let me know why it should be excluded, for example it's a boot loader and doesn't function properly with hardening enabled. The full list is available at GitHub.
For more information about the different protection mechanisms see the following links:
- Partial vs Full RELRO
- Stack canaries
- NX memory protection
- Position Independent Executables
- RPATH
- RUNPATH
UPDATE 2015-09-17
I've posted my findings on fedora-devel and the comments are more than interesting even revealing an old bug in libtool.
Comments !