Build binaries as PIE by default
Context
PIE (Position-independent Executable) is hardening technique which may prevent exploitation. https://en.wikipedia.org/wiki/Position-independent_code
Currently PIE is widely used for building packages across many distributions (Fedora, Debian, Archlinux) https://fedoraproject.org/wiki/Security_Features#Exec-Shield https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description
Description
Currently PIE isn't used through CFLAGSin flatpak builds on gnome and kde https://gitlab.gnome.org/GNOME/gnome-sdk-images/blob/master/org.gnome.Sdk.json.in#L54 https://github.com/KDE/flatpak-kde-runtime/blob/qt5.9lts/org.kde.Sdk.json#L73
PIE can be also enabled directly in GCC default config (which is preferred way chosen by aforementioned distros) but it isn't the case currently in flatpak: https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/bootstrap/elements/gcc-stage1.bst#L22 https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/bootstrap/elements/gcc-stage2.bst#L30
It's enabled in newer GCC which isn't used by default currently: https://github.com/flathub/org.freedesktop.Sdk.Extension.gcc7/blob/master/org.freedesktop.Sdk.Extension.gcc7.json#L29
TLDR
I recommend enabling PIE by building GCC with "--enable-default-pie
" config option.("--enable-default-ssp
" can be a bonus)
BTW: You can check if PIE is enabled with checksec
tool, see:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Summary