Web lists-archives.com

Re: Seeking hardening flag / blhc expoert




Otto Kekäläinen:
> So apparently the 'D_FORTIFY_SOURCE=2' is in CPPFLAGS (not read by
> cmake) but not in CXXFLAGS (read by cmake)[1].
> 
> So maybe I should define?
> CXXFLAGS=$(CXXFLAGS) $(CPPFLAGS)
> 

You have to with cmake, yes.  I believe debhelper carries a similar work
around (for CXXFLAGS + CFLAGS with cmake).

> This is the current state of mysqld, should I be happy with this or is
> it relevant that all functions are protected?
> 
> hardening-check --verbose --color  mysqld
> [...] 
> 
> 
> [1] https://cmake.org/Bug/view.php?id=12928
> 

This is where blhc log check (where possible) is better as it will tell
you if all compiler invocations had the hardening flags.  If they do,
then you are good.
  It is "perfectly" normal for a correctly hardened binary to have
unhardened functions as the compiler *can* in some cases prove the
hardening is unnecessary.

On a related note, lintian has a list of symbols that it ignores for the
purpose of assuming/checking if a binary is hardened or not and it has
no hardened functions.  Mind you, that list is an accuracy trade-off (to
prefer false-negatives over false-positives due to the number of
false-positive complaints).

Thanks,
~Niels