[libvirt] [PATCH 0/2] Improve security hardening of binaries
Daniel P. Berrange
berrange at redhat.com
Wed Apr 3 11:41:44 UTC 2013
Fedora has a "hardened build" option in RPM specfiles:
https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
While we could enable that in the RPM, this would only
apply to Fedora. Thus these patches directly integrate
it in libvirt's configure.ac / Makefile.am files.
With these 2 patches all executables gain -fPIE and
-z relro -z now.
Using the checksec.sh script from
http://www.trapkit.de/tools/checksec.html
We can see the difference, before:
$ ~/checksec.sh --file /usr/sbin/libvirtd
'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/libvirtd
After
$ ~/checksec.sh --file /usr/sbin/libvirtd
'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/libvirtd
More information about the libvir-list
mailing list