Fedora has a "hardened build" option in RPM specfiles: https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
While we could enable that in the RPM, this would only apply to Fedora. Thus these patches directly integrate it in libvirt's configure.ac / Makefile.am files. With these 2 patches all executables gain -fPIE and -z relro -z now. Using the checksec.sh script from http://www.trapkit.de/tools/checksec.html We can see the difference, before: $ ~/checksec.sh --file /usr/sbin/libvirtd 'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/libvirtd After $ ~/checksec.sh --file /usr/sbin/libvirtd 'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/libvirtd -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
