[ubuntu-hardened] hardening-check in lintian confuses me

[Christian Ehrhardt]

Hi,
we got in lintian pedantic the following Info:

I: librte-pmd-af-packet20.0: hardening-no-fortify-functions
usr/lib/x86_64-linux-gnu/dpdk/pmds-20.0/librte_pmd_af_packet.so.20.0

But in man hardening-check it states:
"When an executable was built such that the fortified versions of the glibc
functions are not useful (e.g. use is verified as safe at compile time, or
use cannot be verified at runtime), this check will lead to false alarms.
In an effort to mitigate this, the check will pass if any fortified
function is found, and will fail if only unfortified functions are found.
Uncheckable conditions
also pass (e.g. no functions that c)"

We do nothing special for this file compared to all the others we build and
that have no issue.
It is build with -D_FORTIFY_SOURCE=2 and all other usual flags.

Checking it manually gives:

$ hardening-check --debug --verbose librte_pmd_af_packet.so.20.0
readelf -lW librte_pmd_af_packet.so.20.0
readelf -dW librte_pmd_af_packet.so.20.0
readelf -sW librte_pmd_af_packet.so.20.0
librte_pmd_af_packet.so.20.0:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
unprotected: poll
unprotected: memcpy
unprotected: memmove
protected: memcpy
 Read-only relocations: yes
 Immediate bind

So it has a protected function, shouldn't it be good then?

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20200326/633788b4/attachment.html>