Forgot to mention, I’m trying to compile nftables-0.9.3 I also use export CPPFLAGS='-Wdate-time -D_FORTIFY_SOURCE=2’ But I don’t think that really matters. > On Feb 10, 2020, at 11:10 PM, Glen Huang <heyhgl@xxxxxxxxx> wrote: > > Hi, > > I’m trying to compile nftables with hardening applied by using these commands in Debian buster: > > export CFLAGS='-g -O2 -fdebug-prefix-map=/tmp/nftables=. -fstack-protector-strong -Wformat -Werror=format-security' \ > && export LDFLAGS='-Wl,-z,relro -Wl,-z,now' \ > && ./configure \ > --prefix=/usr \ > --sysconfdir=/etc \ > --disable-debug \ > --disable-man-doc \ > --without-cli > && make install > > Everything is fine, except that /usr/sbin/nft fails checksec.sh’s stack canary check where it says “No canary found” in the STACK CANARY column > > That test is simply done with readelf -s /usr/sbin/nft 2>/dev/null | grep -Eq '__stack_chk_fail|__intel_security_cookie’ > > I wonder why this check fails? Is there any flags I should add to pass it? > > If I change -fstack-protector-strong to -fstack-protector-all, then the test passes, but I’d like to stick with fstack-protector-strong if that’s possible. > > Gcc version is "gcc (Debian 8.3.0-6) 8.3.0” and I take the hardening flags from Debian’s "dpkg-buildflags --get CPPFLAGS” and friends. > > Regards.
