175131 – pax-utils.eclass: list-paxables should only list ELF executables

Bug 175131 - pax-utils.eclass: list-paxables should only list ELF executables

Summary: pax-utils.eclass: list-paxables should only list ELF executables

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-04-18 18:54 UTC by Nicolas Litchinko
Modified:	2009-01-27 00:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch to use the pax-utils.eclass (virtualbox-bin-1.3.8-ebuild-pax-utils.patch,969 bytes, patch) 2007-04-18 18:56 UTC, Nicolas Litchinko	Details \| Diff
list-paxables should only list ELF executables (pax-utils-eclass.patch,484 bytes, patch) 2007-04-18 18:58 UTC, Nicolas Litchinko	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nicolas Litchinko 2007-04-18 18:54:32 UTC

Binaries brought in by app-emulation/virtualbox-bin don't have a PT_PAX_FLAGS header. These binaries also require relaxed permissions in order to run properly when PaX is in use. 

The pax-utils eclass created by the hardened guys can address this issue easily.

Comment 1 Nicolas Litchinko 2007-04-18 18:56:38 UTC

Created attachment 116661 [details, diff]
patch to use the pax-utils.eclass

Note that this will generate a few warnings because list-paxables also lists ELF relocatables and shared objects.

Comment 2 Nicolas Litchinko 2007-04-18 18:58:11 UTC

Created attachment 116662 [details, diff]
list-paxables should only list ELF executables

This is a trivial patch to filter out ELF objects that are not ELF executables from the list of files returned by list-paxables.

Comment 3 Markus Ullmann (RETIRED) gentoo-dev

2007-04-21 08:11:53 UTC

virtualbox fixed now, forwarding bug to pax-utils maintainer

Comment 4 PaX Team 2007-04-24 10:22:35 UTC

your pax-utils patch is not good unfortunately because it'd also ignore PIEs which look like shared libs to 'file'.

Comment 5 Kevin F. Quinn (RETIRED) gentoo-dev

2007-04-24 18:21:24 UTC

Indeed.

I had assumed that all ELF files would have a PT header; obviously that's not the case for 'ELF relocatable's.  Are there any other ELF types that are not suitable?

Comment 6 PaX Team 2007-04-24 22:04:51 UTC

(In reply to comment #5)
> I had assumed that all ELF files would have a PT header; obviously that's not
> the case for 'ELF relocatable's.  Are there any other ELF types that are not
> suitable?

IIRC, ET_EXEC/ET_DYN and ET_CORE must have program headers, ET_REL must not. the PaX binutils patch will emit PT_PAX_FLAGS into both ET_EXEC and ET_DYN, regardless of what the target is (executable or library). this is because the method was based on GNU_STACK handling (which is emitted into both) and in part because i anticipated some future use of the PaX header in libs as well (nothing right now though). in any case, filtering out ET_REL should be good enough i think.

Comment 7 Kevin F. Quinn (RETIRED) gentoo-dev

2008-02-04 21:56:51 UTC

Reassigning due to retirement

Comment 8 solar (RETIRED) gentoo-dev

2009-01-27 00:13:39 UTC

Looks like this code already handles ET_DYN,ET_EXEC files. And this bug could be closed. 

Why there is the extra depend on "file+sed" I'm not sure.


# list-paxables {<files>}
list-paxables() {
        file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'
}



# I would suggest.
scanelf -E ET_EXEC,ET_DYN -BF%F "$*"