Bug 1256628

Summary: Use upstream --enable-pie configure option for enabling PIE in Firefox
Product: Red Hat Enterprise Linux 7 Reporter: Martin Stransky <stransky>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.2CC: mboisver, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1246287 Environment:
Last Closed: 2019-08-23 06:26:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Stransky 2015-08-25 07:04:24 UTC 
+++ This bug was initially created as a clone of Bug #1246287 +++

Fedora should use the upstream configure option instead of hacking the build options[1] to generate a hardened build.
This is the recommended[2] approach.

Note: Same thing may apply to other Mozilla products like Thunderbird.

[1] http://pkgs.fedoraproject.org/cgit/firefox.git/commit/?h=f22&id=ded1820a4f7f445b440a40a0e584bf3038307066
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1079662#c3

--- Additional comment from Johannes Pfrang on 2015-07-23 18:35:47 EDT ---

Let me rephrase that: PIE should be enabled using the upstream configure option.

--- Additional comment from Martin Stransky on 2015-08-20 05:28:48 EDT ---

Added to rawhide - firefox 40.0-7. Thanks for the report.

--- Additional comment from Harald Reindl on 2015-08-20 20:58:51 EDT ---

well, if you are at it why not just use hardening-check / checksec and enable FULL RELRO too?

http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html

export LDFLAGS="-Wl,-z,now -Wl,-z,relro -pie %{optflags}"
export SH_LDFLAGS="-Wl,-z,now -Wl,-z,relro %{optflags}"

/usr/lib64/firefox/firefox:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!
_______________________________________________________

a *really* hardened build looks like this (self built PHP):

/usr/bin/php:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

--- Additional comment from Martin Stransky on 2015-08-21 03:53:46 EDT ---

Are you referring to the "Immediate binding: no, not found!" ? Or there are any other missing pieces here?

--- Additional comment from Harald Reindl on 2015-08-21 04:11:38 EDT ---

yes, "Immediate binding" is FULL RELRO, "checksec" labels it that way but in a list-form which is perfectly for verify complete dirs but not to post in bugzilla :-)

Options:

  --file <executable-file>
  --dir <directory> [-v]
  --proc <process name>
  --proc-all
  --proc-libs <process ID>
  --kernel
  --fortify-file <executable-file>
  --fortify-proc <process ID>
  --version
  --help

For more information, see:
  http://www.trapkit.de/tools/checksec.html

[root@srv-rhsoft:~]$ checksec --file /usr/lib64/firefox/firefox
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/firefox/firefox

--- Additional comment from Martin Stransky on 2015-08-25 03:01:41 EDT ---

Added to Fedora 22 and 21, let's see what happen.