[ubuntu-hardened] hardening-check in lintian confuses me
christian.ehrhardt at canonical.com
Thu Mar 26 16:20:56 UTC 2020
we got in lintian pedantic the following Info:
I: librte-pmd-af-packet20.0: hardening-no-fortify-functions
But in man hardening-check it states:
"When an executable was built such that the fortified versions of the glibc
functions are not useful (e.g. use is verified as safe at compile time, or
use cannot be verified at runtime), this check will lead to false alarms.
In an effort to mitigate this, the check will pass if any fortified
function is found, and will fail if only unfortified functions are found.
also pass (e.g. no functions that c)"
We do nothing special for this file compared to all the others we build and
that have no issue.
It is build with -D_FORTIFY_SOURCE=2 and all other usual flags.
Checking it manually gives:
$ hardening-check --debug --verbose librte_pmd_af_packet.so.20.0
readelf -lW librte_pmd_af_packet.so.20.0
readelf -dW librte_pmd_af_packet.so.20.0
readelf -sW librte_pmd_af_packet.so.20.0
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
So it has a protected function, shouldn't it be good then?
Staff Engineer, Ubuntu Server
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-hardened