Firefox hardening flags

Peter Smith peter.smith3882100 at gmail.com
Sat Apr 16 01:00:52 UTC 2011 

I have downloaded the official Firefox 3.6.16 source tarball from
Mozilla and extracted it to a Debian build environment created with
Debootstrap. The following flags are configured in mozconfig:

export CFLAGS="-Wformat -Wformat-security -D_FORTIFY_SOURCE=2
-fstack-protector-all -fPIE -pie"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS="-z relro -z now"

Firefox from the Ubuntu repository is compiled with "export
DEB_BUILD_HARDENING=1" and this should be equivalent to adding the
above flags to mozconfig, but when running hardening-check on files in
my custom build the result is not the same as running hardening-check
on files in the official Ubuntu Firefox build.

Custom Firefox 3.6.16 build:
---------
firefox-bin:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

libnss3.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, not found!
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

libssl3.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, not found!
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
---------

Official Ubuntu 3.6.16 build:
-------
firefox-bin:
 Position Independent Executable: yes
 Stack protected: no, not found!
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: yes

libnss3.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: yes

libssl3.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, not found!
 Read-only relocations: yes
 Immediate binding: yes
--------

Read-only relocations and immediate binding are always enabled on .so
files in the Ubuntu build, but not in my custom build even though i
have enabled export LDFLAGS="-z relro -z now".

Any suggestions on why this is happening?

More information about the Ubuntu-mozillateam mailing list