From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 5/6] package/checksec: new package
Date: Fri, 10 Aug 2018 22:58:55 +0200 [thread overview]
Message-ID: <20180810225855.4cb005dc@windsurf> (raw)
In-Reply-To: <20180711143113.11927-6-matthew.weber@rockwellcollins.com>
Matt, Paresh,
On Wed, 11 Jul 2018 09:31:12 -0500, Matt Weber wrote:
> From: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
>
> This patch added host-checksec package support. This tool
added -> adds
> diff --git a/package/checksec/0001-checksec-Fixed-issue-with-relative-path.patch b/package/checksec/0001-checksec-Fixed-issue-with-relative-path.patch
> new file mode 100644
> index 0000000000..43a882d991
> --- /dev/null
> +++ b/package/checksec/0001-checksec-Fixed-issue-with-relative-path.patch
> @@ -0,0 +1,43 @@
> +From b48a2dfae26fa3b4af8e65fb5953b3caf62c137b Mon Sep 17 00:00:00 2001
> +From: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
> +Date: Mon, 21 May 2018 14:34:23 -0500
> +Subject: [PATCH] checksec: Fixed issue with relative path
> +
> +Before this patch script was not able find exists directory when user pass
> +relative directory path with '--dir' or '-d' option and also we faced this error
> +when we execute script with relative path.
The english wording seems weird here, even though I'm not a native
speaker. Perhaps:
"""
Before this patch, the checksec script was not able to find existing
directories when the user passes a relative path with --dir/-d,
aborting with a "No such file or directory". The same error was
reported when the script is executed through a relative path.
"""
I'm sure Matt, as a native speaker, can come up with an even better
wording.
> diff --git a/package/checksec/Config.in.host b/package/checksec/Config.in.host
> new file mode 100644
> index 0000000000..7f86f46b50
> --- /dev/null
> +++ b/package/checksec/Config.in.host
> @@ -0,0 +1,16 @@
> +config BR2_PACKAGE_HOST_CHECKSEC
> + bool "host checksec"
> + help
> + This tool provides a shell script to check the
> + properties of the executables
> + (like PIE,RELRO,PaX,Canaries,ASLR,Fortify Source).
> +
> + https://github.com/slimm609/checksec.sh.git
> +
> + NOTE: This tool has a hard-coded path to the standard
> + libraries for some of the fortify test cases and
> + requires you to either test the local filesystem or be
> + in a chroot'd environment. The tool can still be used
> + against a folder of files but requires discretion of
> + which the tests may not report consistently vs
> + chroot/on-target.
When I look at this and the comment from the maintainer at [0], I am
not sure about the usefulness of such a tool in the context of
Buildroot. Chrooting into the target filesystem is generally not
possible, because the target architecture is different than the build
system architecture. To me, this limitation makes the tool essentially
useless in the context of Buildroot. Could you comment on this a bit
more ?
Also, the formulation "requires discretion of which the test may not
report consistently vs chroot/on-target" doesn't make any sense to me.
[0] https://github.com/slimm609/checksec.sh/issues/62#issuecomment-389880584
> diff --git a/package/checksec/checksec.hash b/package/checksec/checksec.hash
> new file mode 100644
> index 0000000000..e3d1ffd5d1
> --- /dev/null
> +++ b/package/checksec/checksec.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256 510b0b0528f15d0bf13fa1ae7140d2b9fc9261323c98ff76c011bef475a69c14 checksec-cdefe53eb72e6e8f23308417d2fc6b68cba9dbac.tar.gz
> +sha256 c5e2a8e188040fc34eb9362084778a2e25f8d1f888e47a2be09efa7cecd9c70d LICENSE.txt
> diff --git a/package/checksec/checksec.mk b/package/checksec/checksec.mk
> new file mode 100644
> index 0000000000..31ceb43e21
> --- /dev/null
> +++ b/package/checksec/checksec.mk
> @@ -0,0 +1,16 @@
> +################################################################################
> +#
> +# checksec
> +#
> +################################################################################
> +
> +CHECKSEC_VERSION = cdefe53eb72e6e8f23308417d2fc6b68cba9dbac
> +CHECKSEC_SITE = $(call github,slimm609,checksec.sh,$(CHECKSEC_VERSION))
> +CHECKSEC_LICENSE = BSD-3-Clause
> +CHECKSEC_LICENSE_FILES = LICENSE.txt
> +
> +define HOST_CHECKSEC_INSTALL_CMDS
> + $(INSTALL) -D -m 0755 $(@D)/checksec $(HOST_DIR)/bin/
There should be a full destination path here.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2018-08-10 20:58 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-11 14:31 [Buildroot] [PATCH 0/6] Hardening Flag Bugfix/Enhancement Matt Weber
2018-07-11 14:31 ` [Buildroot] [PATCH 1/6] package/Makefile.in: Do not use CPPFLAGS for hardening options Matt Weber
2018-07-11 21:14 ` Arnout Vandecappelle
2018-08-10 20:31 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 2/6] package/Makefile.in: Add missing options to LDFLAGS for full RELRO build Matt Weber
2018-07-11 21:26 ` Arnout Vandecappelle
2018-08-10 20:33 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 3/6] package/Makefile.in: Use gcc spec files for PIE build flags Matt Weber
2018-07-11 21:44 ` Arnout Vandecappelle
2018-07-11 23:17 ` Matthew Weber
2018-07-13 9:39 ` Arnout Vandecappelle
2018-07-13 12:31 ` Matthew Weber
2018-07-19 9:49 ` Sørensen, Stefan
2018-07-19 12:58 ` Matthew Weber
2018-07-19 13:10 ` Sørensen, Stefan
2018-08-07 17:02 ` Matthew Weber
2018-08-07 17:20 ` Matthew Weber
2018-08-08 7:24 ` Jan Kundrát
2018-08-08 8:35 ` Jan Kundrát
2018-08-08 11:38 ` Matthew Weber
2018-08-09 14:32 ` Matthew Weber
2018-08-28 20:07 ` Matthew Weber
2018-08-10 20:50 ` Thomas Petazzoni
2018-08-11 0:42 ` Matthew Weber
2018-08-11 10:29 ` Thomas Petazzoni
2018-08-12 3:55 ` Matthew Weber
2018-08-12 7:41 ` Thomas Petazzoni
2018-08-12 12:49 ` Matthew Weber
2018-08-12 15:07 ` Thomas Petazzoni
2018-08-12 21:20 ` Arnout Vandecappelle
2018-07-11 14:31 ` [Buildroot] [PATCH 4/6] support/testing: runtest proxy support Matt Weber
2018-07-11 21:47 ` Arnout Vandecappelle
2018-08-10 20:51 ` Thomas Petazzoni
2018-08-11 0:30 ` Matthew Weber
2018-08-11 1:03 ` Matthew Weber
2018-07-11 14:31 ` [Buildroot] [PATCH 5/6] package/checksec: new package Matt Weber
2018-08-10 20:58 ` Thomas Petazzoni [this message]
2018-08-11 0:57 ` Matthew Weber
2018-08-11 10:30 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 6/6] support/testing/tests/core: SSP & hardening flags Matt Weber
2018-07-16 1:32 ` Ricardo Martincoski
2018-07-17 2:53 ` Matthew Weber
2018-07-17 3:05 ` Matthew Weber
2018-07-12 11:44 ` [Buildroot] [PATCH 0/6] Hardening Flag Bugfix/Enhancement Matthew Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180810225855.4cb005dc@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox