I agree with Mitch, and also hardening with -fPIE has no performance cost, so why not :) ?
> Date: Tue, 28 Feb 2012 12:07:57 -0600 > From: [email protected] > To: [email protected] > Subject: [sabayon-dev] Hardening in Sabayon > > Now is a good time to try to implement some hardened features in Sabayon. > > Since hardening has the potential to break some applications, Sabayon > will want to approach the issue incrementally. Some of the first > steps may just be to lay the groundwork, and not really provide any > significant security enhancements. > > "Hardening" is a very broad topic, with many overlapping subtopics. > Right now, there are a handful of show-stoppers that would probably > prevent Sabayon from implementing across-the-board hardening (not the > least of which is a lack of consensus as to what would constitute a > fully hardened Desktop system). But, over time, I expect the blockers > to gradually support hardening. > > Linux server applications are much further along in supporting > hardening than the Linux Desktop world. So since Sabayon is heavily > invested in the Desktop area of Linux, we'll need to be careful how we > proceed. > > It would be counter-productive for me to provide a tutorial on > hardening. But, here's a few links I've found helpful. > > http://www.gentoo.org/proj/en/hardened/ > > http://blog.flameeyes.eu/2009/11/02/the-pie-is-not-exactly-a-lie > > I found flameeye's blog very enlightening for someone who is just > trying to get their head around hardening. > > Sabayon will probably wait on implementing the hardened patches in > Gentoo's hardened kernel. But, there are some really interesting > capabilities bundled into the Gentoo hardened kernel, and we will > certainly want to evaluate what can be implemented (or perhaps when). > > Our initial focus will probably be on building a subset of > applications with PIE. This is a topic that has recently been active. > And the ASLR that is already in the kernel should work "well-enough" > with binaries built with PIE. > > Supporting PaX/NX will probably take longer. > > Since there are several sub-topics to discuss, I'm going to cut this > post off here, and try to keep the messages to being only slightly > long. I'll get into some of the sub-topics in separate posts. >
