Restore lintian overrides for hardening false-positives.

2 files changed, 14 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 79a96fed..d042825d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ pam (1.3.1-3) UNRELEASED; urgency=medium
   * debian/source.lintian-overrides: update for the current quilt warnings.
   * debian/control: drop redundant priority fields.
   * Standards-Version 4.3.0.
+  * Restore lintian overrides for hardening false-positives.
 
  -- Steve Langasek <vorlon@debian.org>  Wed, 13 Feb 2019 05:57:21 +0000
 
diff --git a/debian/libpam-modules.lintian-overrides b/debian/libpam-modules.lintian-overrides
index 286eae4c..ad808cfa 100644
--- a/debian/libpam-modules.lintian-overrides
+++ b/debian/libpam-modules.lintian-overrides
@@ -1,2 +1,15 @@
+# These are false positives because they don't use any functions that need
+# fortifying.  Since we know we have hardening turned on globally, suppress
+# them.  If we ever see this warning again for *other* modules, then we know
+# there's a real problem.
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_echo.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_filter.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_group.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_limits.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_shells.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_tally2.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_time.so
+libpam-modules: hardening-no-fortify-functions lib/*/security/pam_wheel.so
 # pam_deny.so does not use any symbol from libc.
 libpam-modules: shared-lib-without-dependency-information lib/*/security/pam_deny.so