Hi,
I’m trying to compile nftables with hardening applied by using these commands in Debian buster:
export CFLAGS='-g -O2 -fdebug-prefix-map=/tmp/nftables=. -fstack-protector-strong -Wformat -Werror=format-security' \
&& export LDFLAGS='-Wl,-z,relro -Wl,-z,now' \
&& ./configure \
--prefix=/usr \
--sysconfdir=/etc \
--disable-debug \
--disable-man-doc \
--without-cli
&& make install
Everything is fine, except that /usr/sbin/nft fails checksec.sh’s stack canary check where it says “No canary found” in the STACK CANARY column
That test is simply done with readelf -s /usr/sbin/nft 2>/dev/null | grep -Eq '__stack_chk_fail|__intel_security_cookie’
I wonder why this check fails? Is there any flags I should add to pass it?
If I change -fstack-protector-strong to -fstack-protector-all, then the test passes, but I’d like to stick with fstack-protector-strong if that’s possible.
Gcc version is "gcc (Debian 8.3.0-6) 8.3.0” and I take the hardening flags from Debian’s "dpkg-buildflags --get CPPFLAGS” and friends.
Regards.
