[meta-security][PATCH 2/2] image-with-hardened-binaries: Add selftest


Maximilian Blenk
 

Add selftest that executes binary analysis on small rootfs

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
.../cases/hardened_binaries_checker.py | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 lib/oeqa/selftest/cases/hardened_binaries_checker.py

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class HardenTests(OESelftestTestCase):
+ def test_hardened_binaries(self):
+
+ self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-with-hardened-binaries
+
+HARDENED_BINARIES_CONFIG_FILE = "${WORKDIR}/check-config.toml"
+
+do_write_config_file() {
+ echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+ echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+}
+
+addtask do_write_config_file before do_image_qa
+
+ """)
+
+ result = bitbake("-c image_qa emptytest", ignore_status=True)
+ if result.status != 0:
+ self.logger.warn(result.output)
+ raise self.failureException("build failed, something went wrong...")
--
2.31.1

Join yocto@lists.yoctoproject.org to automatically receive all group messages.