Re: [meta-security][PATCH 1/2] image-with-hardened-binaries: add class


Maximilian Blenk
 

Hi,

I'm really not used to this e-mail process :-D
forwording my original answer to the mailing list...

BR Max

On 06.09.21 10:18, Maximilian Blenk wrote:

Hi Robert, Hi Armin,

sorry for the late reply.

Regarding  Armins question:
If the config file you've used (e.g. th eon ein the selftest) enables all the tests, then it should be fine indeed. I'm not completely sure what the core-mage-minimal includes though. It if it contains systemd the build should be failing if the rpath check is enabled (you would have to whitelist the binaries in the config file)
Currently there is no test for failing. Should i add one?

Sure i can remove the ".py", i just want to avoid confusion of "checksec.sh" and "checksec.py" (which are completely different tools)

Regarding Roberts question:
In case the tooling finds a violation it fails the build and outputs an error message containing the buildsystem paths to the binaries and the actual check it is failing. The message also contains some reasoning on why the used feature shouldn't be used. The bitbake class basically take the output you pasted (there is a json mode) and checks it against the whitelist (and some other unreasonable things, such as usage of relro in statically linked applications)


Br Max

On 21.08.21 18:59, Robert Berger wrote:
Hi,

On 21/08/2021 18:35, Armin Kuster wrote:

Regarding the selftest, is there test for failure?

I ran this against core-image-minimal and nothing was printed out. Does
that mean its fine?

You may want to remove the ".py" from
python3-checksec.py-native_0.6.1.bb, its not needed.

If you run checksec manually against some binary e.g. ls.coreutils it outputs something like this:

https://pastebin.com/JkeN1h3k

Not sure what this should output.


-armin



Join yocto@lists.yoctoproject.org to automatically receive all group messages.