[Buildroot] [PATCH 5/6] package/checksec: new package

[Thomas Petazzoni]

Hello Matt,

On Fri, 10 Aug 2018 19:57:06 -0500, Matthew Weber wrote:

> > When I look at this and the comment from the maintainer at [0], I am
> > not sure about the usefulness of such a tool in the context of
> > Buildroot. Chrooting into the target filesystem is generally not
> > possible, because the target architecture is different than the build
> > system architecture. To me, this limitation makes the tool essentially
> > useless in the context of Buildroot. Could you comment on this a bit
> > more ?  
> 
> The tool tests a lot of items related to hardening and we were
> originally trying to get the full set working.  In reality we only
> needed the core items that show us ASLR related items.  The tool is
> made up of scripts and uses readelf for the ASLR piece.  Thus it works
> fine for a host (offline)target filesystem check of executable ALSR
> requirements.  However, I can add a note stating what doesn't work
> correctly.  There are test cases it has that use live proc information
> and the system libraries, etc.

Yes, something more specific than the vague explanation in the proposed
Config.in help text would be good.

> > Also, the formulation "requires discretion of which the test may not
> > report consistently vs chroot/on-target" doesn't make any sense to me.  
> 
> I can make a list do this is definitive.

OK, good.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com