hardening: remember the answers to each item
AcceptedPublic
Actions

Authored by khorben_defora.org on Jul 31 2023, 5:46 PM.

Details

Reviewers

emaste
jrtc27
bapt

Summary

With this change, the settings for all 9 possible hardening options are remembered when re-entering this menu.

This is for PR #236410.

Test Plan

I have created a stand-alone copy of usr.sbin/bsdinstall, slightly modified in order to allow local testing without requiring a new installation image for every change.

$ git clone --branch khorben/hardening-questions https://github.com/khorben/bsdinstall.git
$ cd bsdinstall
$ less README.md
[...]
$ cat > test.sh << EOF
#!/bin/sh

BSDINSTALLDIR="\$PWD"
DESTDIR="\$BSDINSTALLDIR/destdir"
BSDINSTALL_DISTDIR="\$DESTDIR/usr/freebsd-dist"; export BSDINSTALL_DISTDIR
SRCDIR="/usr/src"

TMPDIR="\$(mktemp -d)"; export TMPDIR
for target in "\$@"; do
    BSDCFG_SHARE="\$SRCDIR/usr.sbin/bsdconfig/share" \
        BSDINSTALL_CHROOT="\$DESTDIR" \
        BSDINSTALL_CONFIGCURRENT="yes" \
        BSDINSTALL_SCRIPTS="\$BSDINSTALLDIR/scripts" \
        LOCAL_DISTRIBUTIONS="base.txz kernel.txz lib32.txz" \
        DISTRIBUTIONS="lib32-dbg.txz" \
        ./bsdinstall "\$target"
done
EOF
$ sh test.sh hardening hardening hardening hardening
[select any item, confirm, deselect any item, confirm, repeat]

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 52961
Build 49852: arc lint + arc unit

Event Timeline

khorben_defora.org created this revision.Jul 31 2023, 5:46 PM

Herald added a subscriber: imp. · View Herald TranscriptJul 31 2023, 5:46 PM

khorben_defora.org requested review of this revision.Jul 31 2023, 5:46 PM

khorben_defora.org edited the test plan for this revision. (Show Details)

Another improvement would be to add a "Cancel" button to this step, and keep the settings as they were before entering the dialog.

FYI: D40142

I do not know what the hesitation is there, but I know several people would prefer to see this menu disappear completely.

With this additional change, the previous settings for all 9 possible hardening options are restored when canceling this menu.

Herald added a subscriber: jrtc27. · View Herald TranscriptJul 31 2023, 6:19 PM

In D41250#939432, @mhorne wrote:

FYI: D40142

I do not know what the hesitation is there, but I know several people would prefer to see this menu disappear completely.

Thanks, I wasn't aware of this proposal. I can probably improve this patch some more, so that the default settings from the current installation are reflected.

Or let's just let this abomination of a menu finally die...

In D41250#939538, @jrtc27 wrote:

Or let's just let this abomination of a menu finally die...

What is so bad about it?

Phabricator tip, please generate patches with -U999999 to include full context -- see https://wiki.freebsd.org/Phabricator -- or use arc.

In D41250#939437, @khorben_defora.org wrote:

In D41250#939432, @mhorne wrote:

FYI: D40142

I do not know what the hesitation is there, but I know several people would prefer to see this menu disappear completely.

Thanks, I wasn't aware of this proposal. I can probably improve this patch some more, so that the default settings from the current installation are reflected.

This is more difficult to implement than I thought: at this stage of bsdinstall, the etc/rc.conf, etc/syslog.conf, etc/ttys, boot/loader.conf do not exist and will really be created by bsdinstall's "config" step. Therefore unless it is redesigned, the default settings should be hard-coded in bsdinstall anyway, regardless of their respective values in the base system.