[Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)
``` During the %check target, no files that existed before are expected to be modified. This change adds a validation to the rpmbuild command, which will store file hashes, and compare them after compilation again. Note: this is only a simple demonstrator that cannot handle large projects, and it is using a very simply hash function. ``` ### Note This is a demonstrator to steer discussions. A fully functional variant would likely use a dynamic container to store the hashes, handle errors better, and use a more sophisticated hash function. We are aware that there are ways around this validation and still modify build files from the %check phase. This is one way to implement the requirement to have an immutable build root during rpmbuilds %check phase, as described in https://github.com/rpm-software-management/rpm/issues/3010 ### Testing Done I compiled the xz-utils package of Amazon Linux 2 in an Amazon Linux 2 container image with this change. We also tested a malicious RPM that modified its build files during `%check`. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3039 -- Commit Summary -- * rpmbuild,check: verify file hashes -- File Changes -- M build/build.c (130) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3039.patch https://github.com/rpm-software-management/rpm/pull/3039.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3039 You are receiving this because you are subscribed to this thread. Message ID: rpm-software-management/rpm/pull/3...@github.com ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)
I understand the difference between %build and %check, as well as the problem of this could be worked around by future actors. I would still like to understand the potential as a building blocks for hardening. Do you see a path for a hashing-like validation in the %check phase that could be enabled by an additional run time parameter of the tool? This way, feature is available to potential users, but not enabled by default? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3010#issuecomment-2063917625 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)
Yes, this approach will never be complete. Something like the proposed feature is only a building block. For the other stages, there could also be the requirement to not modify files that have been available already. IMHO, other attack vectors should be addressed with other tools. What data would you need to be more willing to accept a PR the implements the requested idea? While the hashing approach might be more IO heavy, it seems like a portable solution. Furthermore, this approach does not require extra permissions for additional jailing. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3010#issuecomment-2065796737 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)
@nmanthey pushed 1 commit. 2c26ff0d2f023e24c65b57b1bc25256b5e8846e8 rpmbuild,check: verify file hashes -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3039/files/9c34a39a7716123e3ad2adf755db12f5db83dc98..2c26ff0d2f023e24c65b57b1bc25256b5e8846e8 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint