Bug#657848: Please enable hardened build flags

Ritesh Raj Sarraf rrs at researchut.com
Mon Mar 12 07:41:35 UTC 2012 

On Tuesday 06 March 2012 08:27 PM, Simon Ruderich wrote:
> The LDFLAGS hardening flags are not applied everywhere, some
> files don't use hardening flags.
>
> An updated 0009-hardened-build-flags.patch is attached which
> enables it for all files by setting LDFLAGS in ./Makefile.inc
> which is included by all Makefiles. $(shell ..) is used instead
> of `..` because it's already used in other Makefiles.

hello Simon,

That patch didn't apply clean. I have redone it and here's the patch and
the result.

rrs at champaran:/tmp/Debian-Build/Result/temp$ find -type f \( -executable
-o -name \*.so\* \) -exec hardening-check {} +
./lib/libmultipath.so.0:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioweightedpath.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckcciss_tur.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioconst.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckemc_clariion.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioemc.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libpriohds.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libpriordac.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioontap.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckdirectio.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libpriohp_sw.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioiet.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libpriodatacore.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckreadsector0.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libchecktur.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libprioalua.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckhp_sw.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libcheckrdac.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!
./lib/multipath/libpriorandom.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: yes
 Immediate binding: no not found!
readelf: Error: Unable to read in 0x2020 bytes of section headers
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
readelf: Error: Unable to read in 0x2020 bytes of section headers
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
./sbin/multipath:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!
./sbin/multipathd:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!


Please let me know if it satisfies the hardening build flags requirements.


Ritesh


-- 
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-hardening-build-flags.patch
Type: text/x-diff
Size: 3765 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lvm-maintainers/attachments/20120312/fd6e4123/attachment.patch>

More information about the pkg-lvm-maintainers mailing list