|
|
|---|
} | } |
| |
checkconfig() { | checkconfig() { |
/sbin/chpax -v /sbin/chpax >/dev/null 2>&1 || return 1 |
if [ "x$CHPAX" = "x" ]; then |
|
CHPAX="/sbin/chpax /sbin/paxctl" |
|
fi |
|
# Find non-existant chpaxes |
|
REALCHPAX="" |
|
for i in $CHPAX; do |
|
REALCHPAX="$REALCHPAX`$i -v $i >/dev/null 2>&1 && echo \ $i`" |
|
done |
|
if [ "x$REALCHPAX" = "x" ]; then |
|
eerror "error: none of the specified chpax commands exist!" |
|
return 1 |
|
fi |
|
CHPAX="$REALCHPAX" |
} | } |
| |
chpax_flag() { | chpax_flag() { |
flag=$1 | flag=$1 |
fname=$2 | fname=$2 |
| |
if [ -w "$fname" ]; then |
if [ -w ${fname} ]; then |
#einfo "chpax $flags $fname" |
#einfo "-${flag} flagging ${fname}" |
/sbin/chpax -$flag ${fname} |
for i in $CHPAX; do |
[ $? != 0 ] && eerror "error: chpax -$flag ${fname}" |
#einfo " with $i" |
|
$i -$flag ${fname} |
|
[ $? != 0 ] && eerror "error: $i -$flag ${fname}" |
|
done |
fi | fi |
} | } |
| |
|
fix_exempts() { |
|
#need to do this for foo{,bar,baz} expressions to work. |
|
PAGEEXEC_EXEMPT=`eval echo $PAGEEXEC_EXEMPT` |
|
TRAMPOLINE_EXEMPT=`eval echo $TRAMPOLINE_EXEMPT` |
|
RANDMMAP_EXEMPT=`eval echo $RANDMMAP_EXEMPT` |
|
MPROTECT_EXEMPT=`eval echo $MPROTECT_EXEMPT` |
|
SEGMEXEC_EXEMPT=`eval echo $SEGMEXEC_EXEMPT` |
|
RANDEXEC_EXEMPT=`eval echo $RANDEXEC_EXEMPT` |
|
} |
|
|
start() { | start() { |
checkconfig || return 1 | checkconfig || return 1 |
| |
for p in $PAGEEXEC_EXEMPT; do chpax_flag p ${p} ;done |
fix_exempts |
|
|
|
ebegin "Setting PaX flags on binaries" |
for e in $TRAMPOLINE_EXEMPT; do chpax_flag e ${e} ;done | for e in $TRAMPOLINE_EXEMPT; do chpax_flag e ${e} ;done |
for r in $RANDMMAP_EXEMPT; do chpax_flag r ${r} ;done | for r in $RANDMMAP_EXEMPT; do chpax_flag r ${r} ;done |
for m in $MPROTECT_EXEMPT; do chpax_flag m ${m} ;done | for m in $MPROTECT_EXEMPT; do chpax_flag m ${m} ;done |
for s in $SEGMEXEC_EXEMPT; do chpax_flag s ${s} ;done |
for p in $PAGEEXEC_EXEMPT; do chpax_flag pem ${p} ;done |
|
for s in $SEGMEXEC_EXEMPT; do chpax_flag sem ${s} ;done |
for x in $RANDEXEC_EXEMPT; do chpax_flag x ${x} ;done | for x in $RANDEXEC_EXEMPT; do chpax_flag x ${x} ;done |
| |
|
eend |
return 0 | return 0 |
} | } |
| |
|
|
|---|
checkconfig || return 1 | checkconfig || return 1 |
| |
[ "$ZERO_FLAG_MASK" = "yes" ] || return 0 | [ "$ZERO_FLAG_MASK" = "yes" ] || return 0 |
|
fix_exempts |
einfo "chpax zero flag masking" | einfo "chpax zero flag masking" |
for p in $PAGEEXEC_EXEMPT; do chpax_flag z ${p} ;done |
for p in $PAGEEXEC_EXEMPT; do chpax_flag ze ${p} ;done |
for e in $TRAMPOLINE_EXEMPT; do chpax_flag z ${e} ;done |
for e in $TRAMPOLINE_EXEMPT; do chpax_flag ze ${e} ;done |
for r in $RANDMMAP_EXEMPT; do chpax_flag z ${r} ;done |
for r in $RANDMMAP_EXEMPT; do chpax_flag ze ${r} ;done |
for m in $MPROTECT_EXEMPT; do chpax_flag z ${m} ;done |
for m in $MPROTECT_EXEMPT; do chpax_flag ze ${m} ;done |
for s in $SEGMEXEC_EXEMPT; do chpax_flag z ${s} ;done |
for s in $SEGMEXEC_EXEMPT; do chpax_flag ze ${s} ;done |
for x in $RANDEXEC_EXEMPT; do chpax_flag z ${x} ;done |
for x in $RANDEXEC_EXEMPT; do chpax_flag ze ${x} ;done |
| |
return 0 | return 0 |
} | } |
