Re: [cmake-developers] Security in CMake

The most of the functions could be overloaded. You could overload those functions, filter options out and pass the new options to the original function which starts with and '_' underscore. The most of the CMake module files could also be overloaded. Hope it helps Best regards Roman > Am

Re: [cmake-developers] Security in CMake

Hi, For those who may be interested I will leave this message here. Mentioned package (dependency) manager is C++ Archive Network. https://cppan.org/ It generates CMakeLists.txt from specification files. It manages packages' dependencies, versions, different OSs (it's crossplatform from very

Re: [cmake-developers] Security in CMake

Hi Chuck, > Is this intended to run on Linux? Yes. And thanks for the pointing out to SELinux. I'll add it to my checklist. --- The system is on very early stages now, so its parts are changing rapidly and I'm able to consider different approaches to its subsystems (including security). But I

Re: [cmake-developers] Security in CMake

Hi Egor, Is this intended to run on Linux? If so, I think you're FAR better off leveraging an existing security framework like SELinux, since it's actually designed from the ground up to enforce these types of controls. You could define a label that you place on the executables run by the

Re: [cmake-developers] Security in CMake

Hi Egor, On Sat, Aug 20, 2016 at 1:48 PM, Egor Pugin wrote: > Hi, > > I'm working on a package manager based on cmake. Please rethink that approach. Your package manager should support CMake. It should not be based on it. Your design will be safer and more flexible.

Re: [cmake-developers] Security in CMake

> What is the attack you want to stop? What are bad scripts and commands in > this context? I wrote them in the first message. For example, - any cmake commands that use COMMAND keyword (execute_process(COMMAND ...), add_custom_{command|target}(...) etc. This will deny any user scripts, programs

Re: [cmake-developers] Security in CMake

Hi Egor, Am 21.08.2016 12:34 schrieb "Egor Pugin" : > > > What are the attack scenarios you want to defend against? What should not be possible in your system that currently is in CMake? > > At least downloading or executing bad scripts and commands. What is the attack you

Re: [cmake-developers] Security in CMake

> What are the attack scenarios you want to defend against? What should not be > possible in your system that currently is in CMake? At least downloading or executing bad scripts and commands. > That forces me to keep more state in my head when reading CMakeLists.txt > files. CMake files are

Re: [cmake-developers] Security in CMake

CMake is not and can never be a replacement for a package manager. They serve entirely different roles. While you can extend CMake to give it the ability to build and install all sorts stuff, that does not make it a package manager. It's a convenient way to build a complex set of

Re: [cmake-developers] Security in CMake

Hi Tobias, You are right at many points. It's hard to really secure the system from build system/build artifacts/3rd party apps. But step by step it's possible to decrease number of potential sources of vulnerabilities. Described cmake features would be very helpful for this. Right now I'm just

Re: [cmake-developers] Security in CMake

Hi Egor, Am 20.08.2016 13:48 schrieb "Egor Pugin" : > > Hi, > > I'm working on a package manager based on cmake. > And some cmake instructions are downloaded with user packages. > I'd like to have an ability to deny some cmake features in such > external untrusted