Re: [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions
Marta Rybczynska
(correcting the wrong list address)
On Fri, Aug 27, 2021 at 6:07 AM akuster808 <akuster808@...> wrote:
Marta,
On 8/24/21 11:05 PM, Marta Rybczynska wrote:
> Compilers and related utils are better restricted on production platforms.
> Change permissions of all installed binutils tools to remove access from
> users outside of the root group.
>
> This also demonstrates how to restrict file permissions in a hardened
> distribution.
Have you looked into FILESYSTEM_PERMS_TABLES? An example of the format
can be found @ /meta/files/fs-perms.txt
For more info see
https://www.yoctoproject.org/docs/3.1/ref-manual/ref-manual.html
Maybe having something like fs-perms.txt in meta-hardening may achieve
the same?
It looks like a possibility, I will give it a try. I have a question about the future,
however. Currently meta-hardening is defining its own distribution. When hardening
will be in DISTRO_FEATURES (you were working on it some time ago https://patchwork.openembedded.org/patch/174773/),
it would be less obvious to use, wouldn't it?
A bonus question, do you still plan to make it in DISTRO_FEATURES?
Regards,
Marta