Re: [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions


Marta Rybczynska
 

(correcting the wrong list address)

On Fri, Aug 27, 2021 at 6:07 AM akuster808 <akuster808@...> wrote:
Marta,

On 8/24/21 11:05 PM, Marta Rybczynska wrote:
> Compilers and related utils are better restricted on production platforms.
> Change permissions of all installed binutils tools to remove access from
> users outside of the root group.
>
> This also demonstrates how to restrict file permissions in a hardened
> distribution.

Have you looked into FILESYSTEM_PERMS_TABLES? An example of the format
can be found @ /meta/files/fs-perms.txt

For more info see
https://www.yoctoproject.org/docs/3.1/ref-manual/ref-manual.html

Maybe having something like fs-perms.txt in meta-hardening may achieve
the same?


It looks like a possibility, I will give it a try. I have a question about the future,
however. Currently meta-hardening is defining its own distribution. When hardening
will be in DISTRO_FEATURES (you were working on it some time ago https://patchwork.openembedded.org/patch/174773/),
it would be less obvious to use, wouldn't it?

A bonus question, do you still plan to make it in DISTRO_FEATURES?

Regards,
Marta

Join yocto@lists.yoctoproject.org to automatically receive all group messages.