Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Mikhail Morfikov
On 02/01/2019 17:48, Yves-Alexis Perez wrote: > On Wed, 2019-01-02 at 17:37 +0100, Mikhail Morfikov wrote: >> I have one question. Let's say I set the kernel options that are described >> here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags >> in the debian/rules file to ge

Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Yves-Alexis Perez
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2019-01-02 at 17:37 +0100, Mikhail Morfikov wrote: > I have one question. Let's say I set the kernel options that are described > here[1]. Do I have to use DEB_BUILD_MAINT_OPTIONS or set any additional flags > in the debian/rules file to get

Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Mikhail Morfikov
On 02/01/2019 15:28, Yves-Alexis Perez wrote> the kernel is not a standard ELF binary, so you can't really run hardening- > check on it and expect sound results. > > Yes, the kernel has some protection/hardening (see for example the work done > by the Kernel Self Protection Project). I have one q

Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Ian Campbell
On Wed, 2019-01-02 at 03:08 +0100, Mikhail Morfikov wrote: > Also how to get "not stripped" instead of "stripped" kernel? It is available as the file `vmlinux` at the root of the source tree after building, if you still have access to that. There is also the `linux-image-$(uname -r)-dbg` packages

Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Mikhail Morfikov
On 02/01/2019 16:08, Ian Campbell wrote: > It is available as the file `vmlinux` at the root of the source tree > after building, if you still have access to that. Yes, it is. > That said, Yves-Alexis is correct that despite being an ELF binary the > kernel is in some ways a bit of a special case,

Re: hardening-check can detect whether kernel is protected or not

2019-01-02 Thread Yves-Alexis Perez
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, 2019-01-02 at 03:08 +0100, Mikhail Morfikov wrote: > So does the kernel is protected or not? If yes, why hardening-check can't > detect it? > Also how to get "not stripped" instead of "stripped" kernel? Hi, the kernel is not a standard ELF

hardening-check can detect whether kernel is protected or not

2019-01-01 Thread Mikhail Morfikov
When I run hardening-check on some binary I get results similar the following: # hardening-check /usr/bin/firefox /usr/bin/firefox: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate bin