Bug 1283951

Summary: no hardening build on F23
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: xorg-x11-serverAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: hdegoede, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 11:37:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2015-11-20 11:28:52 UTC 
https://fedoraproject.org/wiki/Changes/Harden_All_Packages

Xorg  32117 Partial RELRO     Canary found           NX enabled    No PIE

since it is long running and runs mostly as root even before F23 the packaging guidelines where pretty clear that the package MUST be hardened
Comment 1 Hans de Goede 2015-11-20 11:37:17 UTC 
<sigh> If you would have taken 10 seconds of your time to look at:

http://pkgs.fedoraproject.org/cgit/xorg-x11-server.git/tree/xorg-x11-server.spec

You would have seen the following there:

# X.org requires lazy relocations to work.
%undefine _hardened_build

Due to way how xorg loads video and input drivers (and other modules) It can NOT be build hardened. 

Fixing this is very hard, and would break compatiblity with e.g. the nvidia binary driver.
Comment 2 Harald Reindl 2015-11-20 11:38:08 UTC 
FULL RELRO is one topic
PIE is a completly different one