On Fri, Mar 29, 2013 at 05:13:33PM +0000, Richard W.M. Jones wrote:
On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
Hi,
This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more attention and feedback)
...
http://fedoraproject.org/wiki/Hardened_Packages page mentions that "FESCo requires some packages to use PIE and relro hardening by default."
It would be great if this list could be expanded to include even more packages which are at comparatively more risk of being exploited (locally or remotely).
Such packages will typically include various system daemons, network daemons and network enabled applications.
Qemu is surely a good candidate for this. Although it's not network- accessible, it is accessible from the guests that it runs via its huge and ill-specified surface of emulated devices.
I'm running my own modified qemu package [qemu-1.4.0-5.fc20.x86_64] with hardening flags enabled. It seems to be working OK so far ...
Rich.