On Mon, Dec 02, 2013 at 12:14:07PM +0100, Petr Viktorin wrote: > On 11/27/2013 02:50 PM, Martin Kosek wrote: > >On 11/27/2013 02:26 PM, Jan Cholasta wrote: > >>Hi, > >> > >>the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>. > > This fixes points 2) & 3) in the ticket; point 1) is not applicable; > 4) are false positives. > > The checks mentioned in the ticket pass. > > $ hardening-check --color --verbose /usr/libexec/ipa-otpd > /usr/libexec/ipa-otpd: > Position Independent Executable: yes > Stack protected: yes > Fortify Source functions: yes (some protected functions found) > unprotected: gethostname > unprotected: read > protected: vfprintf > protected: asprintf > protected: memcpy > protected: fprintf > Read-only relocations: yes > Immediate binding: yes > pviktori@vm-183:~/freeipa{master}16e60f7$ readelf -d > /usr/libexec/ipa-otpd | grep BIND_NOW > 0x0000000000000018 (BIND_NOW) > pviktori@vm-183:~/freeipa{master}16e60f7$ readelf -h > /usr/libexec/ipa-otpd | grep Type > Type: DYN (Shared object file) > > (Note, redhat-rpm-config is part of Fedora's minimal build > environment: > https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2) > > >>Honza > > > >Do we want to define > > > >+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) > >+%define _hardened_build 1 > >+%endif > > > >globally? Wouldn't it trigger the hardening also for all our C utilities or > >internal SLAPI plugins? Wouldn't it have performance implication for the > >SLAPI > >plugins? > > > >I am not sure, I would like to hear what the experts say. > > > >Martin > > On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed > Martin's e-mail by accident so I'll reply here. I > > think defining the hardened build globally is fine, the only performance > > impact is during startup and only small. > > > > AFAIR, the C utilities in IPA are mostly daemons and you really want to > > have full RELRO enabled there. > > > > The only gotcha we found so far (well, Nalin did) was that SELinux was > > not happy with full RELRO on some exotic architectures, like s390x > > Is that a SELinux bug?
I'm not actually sure, as I said, Nalin worked on this bugzilla. FWIW, I never saw any problems with hardened builds of SSSD or any other package I'm involved with. > Should we care about it? I think that such change in build flags warrants at least basic smoke testing on all architectures. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel