hardening-check in lintian confuses me

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

hardening-check in lintian confuses me

Christian Ehrhardt
Hi,
we got in lintian pedantic the following Info:

I: librte-pmd-af-packet20.0: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/dpdk/pmds-20.0/librte_pmd_af_packet.so.20.0

But in man hardening-check it states:
"When an executable was built such that the fortified versions of the glibc functions are not useful (e.g. use is verified as safe at compile time, or use cannot be verified at runtime), this check will lead to false alarms.  In an effort to mitigate this, the check will pass if any fortified
function is found, and will fail if only unfortified functions are found. Uncheckable conditions
also pass (e.g. no functions that c)"

We do nothing special for this file compared to all the others we build and that have no issue.
It is build with -D_FORTIFY_SOURCE=2 and all other usual flags.

Checking it manually gives:

$ hardening-check --debug --verbose librte_pmd_af_packet.so.20.0
readelf -lW librte_pmd_af_packet.so.20.0
readelf -dW librte_pmd_af_packet.so.20.0
readelf -sW librte_pmd_af_packet.so.20.0
librte_pmd_af_packet.so.20.0:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
unprotected: poll
unprotected: memcpy
unprotected: memmove
protected: memcpy
 Read-only relocations: yes
 Immediate bind

So it has a protected function, shouldn't it be good then?

--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened