* Re: [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions
[not found] ` <4aa7aca3-2de1-8cc4-123b-f0f4e44ccfb2@gmail.com>
@ 2021-08-30 16:26 ` Marta Rybczynska
0 siblings, 0 replies; 2+ messages in thread
From: Marta Rybczynska @ 2021-08-30 16:26 UTC (permalink / raw)
To: akuster808, yocto; +Cc: Marta Rybczynska
[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]
(correcting the wrong list address)
On Fri, Aug 27, 2021 at 6:07 AM akuster808 <akuster808@gmail.com> wrote:
> Marta,
>
> On 8/24/21 11:05 PM, Marta Rybczynska wrote:
> > Compilers and related utils are better restricted on production
> platforms.
> > Change permissions of all installed binutils tools to remove access from
> > users outside of the root group.
> >
> > This also demonstrates how to restrict file permissions in a hardened
> > distribution.
>
> Have you looked into FILESYSTEM_PERMS_TABLES? An example of the format
> can be found @ /meta/files/fs-perms.txt
>
> For more info see
> https://www.yoctoproject.org/docs/3.1/ref-manual/ref-manual.html
>
> Maybe having something like fs-perms.txt in meta-hardening may achieve
> the same?
>
>
It looks like a possibility, I will give it a try. I have a question about
the future,
however. Currently meta-hardening is defining its own distribution. When
hardening
will be in DISTRO_FEATURES (you were working on it some time ago
https://patchwork.openembedded.org/patch/174773/),
it would be less obvious to use, wouldn't it?
A bonus question, do you still plan to make it in DISTRO_FEATURES?
Regards,
Marta
[-- Attachment #2: Type: text/html, Size: 1852 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions
@ 2021-08-25 6:15 Marta Rybczynska
0 siblings, 0 replies; 2+ messages in thread
From: Marta Rybczynska @ 2021-08-25 6:15 UTC (permalink / raw)
To: yocto, akuster808; +Cc: Marta Rybczynska, Marta Rybczynska
Compilers and related utils are better restricted on production platforms.
Change permissions of all installed binutils tools to remove access from
users outside of the root group.
This also demonstrates how to restrict file permissions in a hardened
distribution.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
meta-hardening/recipes-devtools/binutils/binutils_%.bbappend | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 meta-hardening/recipes-devtools/binutils/binutils_%.bbappend
diff --git a/meta-hardening/recipes-devtools/binutils/binutils_%.bbappend b/meta-hardening/recipes-devtools/binutils/binutils_%.bbappend
new file mode 100644
index 0000000..3eb3ad0
--- /dev/null
+++ b/meta-hardening/recipes-devtools/binutils/binutils_%.bbappend
@@ -0,0 +1,3 @@
+do_install_append_class-target () {
+ chmod o-rx ${D}${prefix}/${TARGET_SYS}/bin/*
+}
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-30 16:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20210825060532.8379-1-rybczynska@gmail.com>
[not found] ` <4aa7aca3-2de1-8cc4-123b-f0f4e44ccfb2@gmail.com>
2021-08-30 16:26 ` [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions Marta Rybczynska
2021-08-25 6:15 Marta Rybczynska
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.