[ubuntu-hardened] hardening-check in lintian confuses me

Christian Ehrhardt christian.ehrhardt at canonical.com
Thu Mar 26 16:20:56 UTC 2020

we got in lintian pedantic the following Info:

I: librte-pmd-af-packet20.0: hardening-no-fortify-functions

But in man hardening-check it states:
"When an executable was built such that the fortified versions of the glibc
functions are not useful (e.g. use is verified as safe at compile time, or
use cannot be verified at runtime), this check will lead to false alarms.
In an effort to mitigate this, the check will pass if any fortified
function is found, and will fail if only unfortified functions are found.
Uncheckable conditions
also pass (e.g. no functions that c)"

We do nothing special for this file compared to all the others we build and
that have no issue.
It is build with -D_FORTIFY_SOURCE=2 and all other usual flags.

Checking it manually gives:

$ hardening-check --debug --verbose librte_pmd_af_packet.so.20.0
readelf -lW librte_pmd_af_packet.so.20.0
readelf -dW librte_pmd_af_packet.so.20.0
readelf -sW librte_pmd_af_packet.so.20.0
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
unprotected: poll
unprotected: memcpy
unprotected: memmove
protected: memcpy
 Read-only relocations: yes
 Immediate bind

So it has a protected function, shouldn't it be good then?

Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20200326/633788b4/attachment.html>

More information about the ubuntu-hardened mailing list