[ubuntu-hardened] hardening-check in lintian confuses me

Alex Murray alex.murray at canonical.com
Tue May 26 04:35:26 UTC 2020 

On Fri, 2020-03-27 at 02:50:56 +1030, Christian Ehrhardt wrote:

> Hi,
> we got in lintian pedantic the following Info:
>
> I: librte-pmd-af-packet20.0: hardening-no-fortify-functions
> usr/lib/x86_64-linux-gnu/dpdk/pmds-20.0/librte_pmd_af_packet.so.20.0
>
> But in man hardening-check it states:
> "When an executable was built such that the fortified versions of the glibc
> functions are not useful (e.g. use is verified as safe at compile time, or
> use cannot be verified at runtime), this check will lead to false alarms.
> In an effort to mitigate this, the check will pass if any fortified
> function is found, and will fail if only unfortified functions are found.
> Uncheckable conditions
> also pass (e.g. no functions that c)"
>
> We do nothing special for this file compared to all the others we build and
> that have no issue.
> It is build with -D_FORTIFY_SOURCE=2 and all other usual flags.
>
> Checking it manually gives:
>
> $ hardening-check --debug --verbose librte_pmd_af_packet.so.20.0
> readelf -lW librte_pmd_af_packet.so.20.0
> readelf -dW librte_pmd_af_packet.so.20.0
> readelf -sW librte_pmd_af_packet.so.20.0
> librte_pmd_af_packet.so.20.0:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: yes
>  Fortify Source functions: yes (some protected functions found)
> unprotected: poll
> unprotected: memcpy
> unprotected: memmove
> protected: memcpy
>  Read-only relocations: yes
>  Immediate bind
>
> So it has a protected function, shouldn't it be good then?
>

It seems like lintian doesn't make use of hardening-check anymore - from
the lintian changelog:

  ...
  lintian (2.5.48) unstable; urgency=low
     * checks/binaries.{desc,pm}:
      + [NT] Rewrite/embed the necessary bits from hardening-check to
        implement the default hardening-no-* checks directly in lintian.
        This is because hardening-check appears to be losing its
        "home" with the coming removal of hardening-wrapper and
        hardening-includes.  (Closes: #836756)

So I am guessing it is being stricter than hardening-check now.

> --
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd

More information about the ubuntu-hardened mailing list