Le Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook a écrit : > On Fri, Sep 23, 2011 at 08:17:54AM +0200, Raphael Hertzog wrote: > > Two hardening features are not enabled by default: PIE and bindnow. > > If your package supports PIE, you might want to consider enabling it. > > If the binaries are long running processes like daemons, and as such > > the startup performance penalty of “bindnow” is acceptable, it might > > be a good idea to enable it too but only if relro is in effect, > > although another option might be to just define LD_BIND_NOW=1 on the > > daemon's environment (for example in the init.d script), in which case > > the sysadmin can always disable it, something that's not possible with > > the build option. > > Just to be explicit, PIE tends to have small (<1%) performance hits on > register-starved architectures (i386) in most cases, for for certain work > loads (e.g. python) the hit is large (~15%). On architectures with plenty > of registers (amd64) there's virtually no measurable performance hit that > I've seen.
By the way – and please pardon me if it is a too naive question – does this recommendation of building packages with PIE when possible make obsolete the recommendation of Policy's §10.2 to not build static libraries with -fPIC ? http://www.debian.org/doc/debian-policy/ch-files.html#s-libraries Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110928214129.ge9...@merveille.plessy.net