When I run hardening-check on some binary I get results similar the following:
# hardening-check /usr/bin/firefox /usr/bin/firefox: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found! But when I do the hardening check on kernel, I get: # /usr/src/linux-source-4.19/scripts/extract-vmlinux /boot/vmlinuz-4.19.13-amd64-morficzny > /tmp/kernel-morficzny # file /tmp/kernel-morficzny /tmp/kernel-morficzny: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=552fa51a31ac5536ef9c729c7755719f1e62f34d, stripped # hardening-check /tmp/kernel-morficzny /tmp/kernel-morficzny: Position Independent Executable: no, normal executable! Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: no, not found! Immediate binding: no, not found! I compiled this kernel myself, by editing the file /usr/src/linux-source-4.19/scripts/package/builddeb and adding the following to the rules file: ... cat <<EOF > debian/rules #!$(command -v $MAKE) -f ... export DEB_BUILD_MAINT_OPTIONS = hardening=+all qa=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk CFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic CXXFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic CPPFLAGS += -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic LDFLAGS += -Wl,-O2 -Wl,--as-needed -Wl,-z,defs -Wl,-shared ... The extra flags at the end comes from some HowTo -- they simply said the flags should be set. When I've checked what flags were set while building the kernel, I can see this: # make -j2 bindeb-pkg ... dpkg-buildflags --status dpkg-buildflags: status: environment variable DEB_BUILD_MAINT_OPTIONS=hardening=+all qa=+all dpkg-buildflags: status: environment variable DEB_BUILD_OPTIONS=parallel=2 dpkg-buildflags: status: environment variable DEB_HOST_ARCH=amd64 dpkg-buildflags: status: vendor is Debian dpkg-buildflags: status: future features: lfs=no dpkg-buildflags: status: hardening features: bindnow=yes format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectorstrong=yes dpkg-buildflags: status: qa features: bug=yes canary=yes dpkg-buildflags: status: reproducible features: fixdebugpath=yes fixfilepath=no timeless=yes dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no dpkg-buildflags: status: CFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: CPPFLAGS [vendor]: -D__DEB_CANARY_CPPFLAGS_8a057268a74a5f1201285aa667585e15__ -Wdate-time -D_FORTIFY_SOURCE=2 dpkg-buildflags: status: CXXFLAGS [vendor]: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: FCFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: FFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: GCJFLAGS [vendor]: -g -O2 -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong dpkg-buildflags: status: LDFLAGS [vendor]: -Wl,-z,deb-canary-8a057268a74a5f1201285aa667585e15 -Wl,-z,relro -Wl,-z,now dpkg-buildflags: status: OBJCFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security dpkg-buildflags: status: OBJCXXFLAGS [vendor]: -g -O2 -D__DEB_CANARY_OBJCXXFLAGS_8a057268a74a5f1201285aa667585e15__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security And when testing if for instance CFLAGS has the additional flags, I can see it has: -g -O2 -Werror=array-bounds -Werror=clobbered -Werror=volatile-register-var -Werror=implicit-function-declaration -D__DEB_CANARY_CFLAGS_b5b0db7f3a77ca4fcf9eca57aa7181ca__ -fdebug-prefix-map=/usr/src/linux-source-4.19=. -fstack-protector-strong -Wformat -Werror=format-security -pipe -fasynchronous-unwind-tables -fexceptions -Wall -fstack-clash-protection -fpic So does the kernel is protected or not? If yes, why hardening-check can't detect it? Also how to get "not stripped" instead of "stripped" kernel?
signature.asc
Description: OpenPGP digital signature
