Lines 24-68
Link Here
|
24 |
declare -i UNSAFE=0 |
24 |
declare -i UNSAFE=0 |
25 |
for i in $(find "${D}/" -type f -perm -2002); do |
25 |
for i in $(find "${D}/" -type f -perm -2002); do |
26 |
((UNSAFE++)) |
26 |
((UNSAFE++)) |
27 |
echo "UNSAFE SetGID: $i" |
27 |
eecho "UNSAFE SetGID: $i" |
28 |
chmod -s,o-w "$i" |
28 |
chmod -s,o-w "$i" |
29 |
done |
29 |
done |
30 |
for i in $(find "${D}/" -type f -perm -4002); do |
30 |
for i in $(find "${D}/" -type f -perm -4002); do |
31 |
((UNSAFE++)) |
31 |
((UNSAFE++)) |
32 |
echo "UNSAFE SetUID: $i" |
32 |
eecho "UNSAFE SetUID: $i" |
33 |
chmod -s,o-w "$i" |
33 |
chmod -s,o-w "$i" |
34 |
done |
34 |
done |
35 |
|
35 |
|
36 |
# Now we look for all world writable files. |
36 |
# Now we look for all world writable files. |
37 |
for i in $(find "${D}/" -type f -perm -2); do |
37 |
for i in $(find "${D}/" -type f -perm -2); do |
38 |
echo -ne '\a' |
38 |
eecho -ne '\a' |
39 |
echo "QA Security Notice:" |
39 |
eecho "QA Security Notice:" |
40 |
echo "- ${i:${#D}:${#i}} will be a world writable file." |
40 |
eecho "- ${i:${#D}:${#i}} will be a world writable file." |
41 |
echo "- This may or may not be a security problem, most of the time it is one." |
41 |
eecho "- This may or may not be a security problem, most of the time it is one." |
42 |
echo "- Please double check that $PF really needs a world writeable bit and file bugs accordingly." |
42 |
eecho "- Please double check that $PF really needs a world writeable bit and file bugs accordingly." |
43 |
sleep 1 |
43 |
sleep 1 |
44 |
done |
44 |
done |
45 |
|
45 |
|
46 |
if type -p scanelf > /dev/null ; then |
46 |
if type -p scanelf > /dev/null ; then |
47 |
local qa_var insecure_rpath=0 |
47 |
local qa_var insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET} |
48 |
|
48 |
|
|
|
49 |
# display warnings when using stricter because we die afterwards |
50 |
if has stricter ${FEATURES}; then |
51 |
unset PORTAGE_QUIET |
52 |
fi |
53 |
|
49 |
# Make sure we disallow insecure RUNPATH/RPATH's |
54 |
# Make sure we disallow insecure RUNPATH/RPATH's |
50 |
# Don't want paths that point to the tree where the package was built |
55 |
# Don't want paths that point to the tree where the package was built |
51 |
# (older, broken libtools would do this). Also check for null paths |
56 |
# (older, broken libtools would do this). Also check for null paths |
52 |
# because the loader will search $PWD when it finds null paths. |
57 |
# because the loader will search $PWD when it finds null paths. |
53 |
f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )") |
58 |
f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )") |
54 |
if [[ -n ${f} ]] ; then |
59 |
if [[ -n ${f} ]] ; then |
55 |
echo -ne '\a\n' |
60 |
eecho -ne '\a\n' |
56 |
echo "QA Notice: the following files contain insecure RUNPATH's" |
61 |
eecho "QA Notice: the following files contain insecure RUNPATH's" |
57 |
echo " Please file a bug about this at http://bugs.gentoo.org/" |
62 |
eecho " Please file a bug about this at http://bugs.gentoo.org/" |
58 |
echo " with the maintaining herd of the package." |
63 |
eecho " with the maintaining herd of the package." |
59 |
echo " Summary: $CATEGORY/$PN: insecure RPATH ${f}" |
64 |
eecho " Summary: $CATEGORY/$PN: insecure RPATH ${f}" |
60 |
echo "${f}" |
65 |
eecho "${f}" |
61 |
echo -ne '\a\n' |
66 |
eecho -ne '\a\n' |
62 |
if has stricter ${FEATURES}; then |
67 |
if has stricter ${FEATURES}; then |
63 |
insecure_rpath=1 |
68 |
insecure_rpath=1 |
64 |
else |
69 |
else |
65 |
echo "Auto fixing rpaths for ${f}" |
70 |
eecho "Auto fixing rpaths for ${f}" |
66 |
TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null |
71 |
TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null |
67 |
fi |
72 |
fi |
68 |
fi |
73 |
fi |
Lines 70-81
Link Here
|
70 |
# Check for setid binaries but are not built with BIND_NOW |
75 |
# Check for setid binaries but are not built with BIND_NOW |
71 |
f=$(scanelf -qyRF '%b %p' "${D}") |
76 |
f=$(scanelf -qyRF '%b %p' "${D}") |
72 |
if [[ -n ${f} ]] ; then |
77 |
if [[ -n ${f} ]] ; then |
73 |
echo -ne '\a\n' |
78 |
eecho -ne '\a\n' |
74 |
echo "QA Notice: the following files are setXid, dyn linked, and using lazy bindings" |
79 |
eecho "QA Notice: the following files are setXid, dyn linked, and using lazy bindings" |
75 |
echo " This combination is generally discouraged. Try re-emerging the package:" |
80 |
eecho " This combination is generally discouraged. Try re-emerging the package:" |
76 |
echo " LDFLAGS='-Wl,-z,now' emerge ${PN}" |
81 |
eecho " LDFLAGS='-Wl,-z,now' emerge ${PN}" |
77 |
echo "${f}" |
82 |
eecho "${f}" |
78 |
echo -ne '\a\n' |
83 |
eecho -ne '\a\n' |
79 |
die_msg="${die_msg} setXid lazy bindings," |
84 |
die_msg="${die_msg} setXid lazy bindings," |
80 |
sleep 1 |
85 |
sleep 1 |
81 |
fi |
86 |
fi |
Lines 98-114
Link Here
|
98 |
}') |
103 |
}') |
99 |
if [[ -n ${f} ]] ; then |
104 |
if [[ -n ${f} ]] ; then |
100 |
scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log |
105 |
scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log |
101 |
echo -ne '\a\n' |
106 |
eecho -ne '\a\n' |
102 |
echo "QA Notice: the following files contain runtime text relocations" |
107 |
eecho "QA Notice: the following files contain runtime text relocations" |
103 |
echo " Text relocations force the dynamic linker to perform extra" |
108 |
eecho " Text relocations force the dynamic linker to perform extra" |
104 |
echo " work at startup, waste system resources, and may pose a security" |
109 |
eecho " work at startup, waste system resources, and may pose a security" |
105 |
echo " risk. On some architectures, the code may not even function" |
110 |
eecho " risk. On some architectures, the code may not even function" |
106 |
echo " properly, if at all." |
111 |
eecho " properly, if at all." |
107 |
echo " For more information, see http://hardened.gentoo.org/pic-fix-guide.xml" |
112 |
eecho " For more information, see http://hardened.gentoo.org/pic-fix-guide.xml" |
108 |
echo " Please include this file in your report:" |
113 |
eecho " Please include this file in your report:" |
109 |
echo " ${T}/scanelf-textrel.log" |
114 |
eecho " ${T}/scanelf-textrel.log" |
110 |
echo "${f}" |
115 |
eecho "${f}" |
111 |
echo -ne '\a\n' |
116 |
eecho -ne '\a\n' |
112 |
die_msg="${die_msg} textrels," |
117 |
die_msg="${die_msg} textrels," |
113 |
sleep 1 |
118 |
sleep 1 |
114 |
fi |
119 |
fi |
Lines 146-161
Link Here
|
146 |
if [[ -n ${f} ]] ; then |
151 |
if [[ -n ${f} ]] ; then |
147 |
# One more pass to help devs track down the source |
152 |
# One more pass to help devs track down the source |
148 |
scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log |
153 |
scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log |
149 |
echo -ne '\a\n' |
154 |
eecho -ne '\a\n' |
150 |
echo "QA Notice: the following files contain executable stacks" |
155 |
eecho "QA Notice: the following files contain executable stacks" |
151 |
echo " Files with executable stacks will not work properly (or at all!)" |
156 |
eecho " Files with executable stacks will not work properly (or at all!)" |
152 |
echo " on some architectures/operating systems. A bug should be filed" |
157 |
eecho " on some architectures/operating systems. A bug should be filed" |
153 |
echo " at http://bugs.gentoo.org/ to make sure the file is fixed." |
158 |
eecho " at http://bugs.gentoo.org/ to make sure the file is fixed." |
154 |
echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml" |
159 |
eecho " For more information, see http://hardened.gentoo.org/gnu-stack.xml" |
155 |
echo " Please include this file in your report:" |
160 |
eecho " Please include this file in your report:" |
156 |
echo " ${T}/scanelf-execstack.log" |
161 |
eecho " ${T}/scanelf-execstack.log" |
157 |
echo "${f}" |
162 |
eecho "${f}" |
158 |
echo -ne '\a\n' |
163 |
eecho -ne '\a\n' |
159 |
die_msg="${die_msg} execstacks" |
164 |
die_msg="${die_msg} execstacks" |
160 |
sleep 1 |
165 |
sleep 1 |
161 |
fi |
166 |
fi |
Lines 168-173
Link Here
|
168 |
elif [[ ${die_msg} != "" ]] && has stricter ${FEATURES} && ! has stricter ${RESTRICT} ; then |
173 |
elif [[ ${die_msg} != "" ]] && has stricter ${FEATURES} && ! has stricter ${RESTRICT} ; then |
169 |
die "Aborting due to QA concerns: ${die_msg}" |
174 |
die "Aborting due to QA concerns: ${die_msg}" |
170 |
fi |
175 |
fi |
|
|
176 |
|
177 |
PORTAGE_QUIET=${tmp_quiet} |
171 |
fi |
178 |
fi |
172 |
|
179 |
|
173 |
if [[ ${UNSAFE} > 0 ]] ; then |
180 |
if [[ ${UNSAFE} > 0 ]] ; then |
Lines 295-317
Link Here
|
295 |
# total suid control. |
302 |
# total suid control. |
296 |
if hasq suidctl $FEATURES; then |
303 |
if hasq suidctl $FEATURES; then |
297 |
sfconf=/etc/portage/suidctl.conf |
304 |
sfconf=/etc/portage/suidctl.conf |
298 |
echo ">>> Preforming suid scan in ${IMAGE}" |
305 |
eecho ">>> Preforming suid scan in ${IMAGE}" |
299 |
for i in $(find ${IMAGE}/ -type f \( -perm -4000 -o -perm -2000 \) ); do |
306 |
for i in $(find ${IMAGE}/ -type f \( -perm -4000 -o -perm -2000 \) ); do |
300 |
if [ -s "${sfconf}" ]; then |
307 |
if [ -s "${sfconf}" ]; then |
301 |
suid="$(grep ^${i/${IMAGE}/}$ ${sfconf})" |
308 |
suid="$(grep ^${i/${IMAGE}/}$ ${sfconf})" |
302 |
if [ "${suid}" = "${i/${IMAGE}/}" ]; then |
309 |
if [ "${suid}" = "${i/${IMAGE}/}" ]; then |
303 |
echo "- ${i/${IMAGE}/} is an approved suid file" |
310 |
eecho "- ${i/${IMAGE}/} is an approved suid file" |
304 |
else |
311 |
else |
305 |
echo ">>> Removing sbit on non registered ${i/${IMAGE}/}" |
312 |
eecho ">>> Removing sbit on non registered ${i/${IMAGE}/}" |
306 |
for x in 5 4 3 2 1 0; do echo -ne "\a"; sleep 0.25 ; done |
313 |
for x in 5 4 3 2 1 0; do echo -ne "\a"; sleep 0.25 ; done |
307 |
echo -ne "\a" |
314 |
eecho -ne "\a" |
308 |
chmod ugo-s "${i}" |
315 |
chmod ugo-s "${i}" |
309 |
grep ^#${i/${IMAGE}/}$ ${sfconf} > /dev/null || { |
316 |
grep ^#${i/${IMAGE}/}$ ${sfconf} > /dev/null || { |
310 |
# sandbox prevents us from writing directly |
317 |
# sandbox prevents us from writing directly |
311 |
# to files outside of the sandbox, but this |
318 |
# to files outside of the sandbox, but this |
312 |
# can easly be bypassed using the addwrite() function |
319 |
# can easly be bypassed using the addwrite() function |
313 |
addwrite "${sfconf}" |
320 |
addwrite "${sfconf}" |
314 |
echo ">>> Appending commented out entry to ${sfconf} for ${PF}" |
321 |
eecho ">>> Appending commented out entry to ${sfconf} for ${PF}" |
315 |
ls_ret=$(ls -ldh "${i}") |
322 |
ls_ret=$(ls -ldh "${i}") |
316 |
echo "## ${ls_ret%${IMAGE}*}${ls_ret#*${IMAGE}}" >> ${sfconf} |
323 |
echo "## ${ls_ret%${IMAGE}*}${ls_ret#*${IMAGE}}" >> ${sfconf} |
317 |
echo "#${i/${IMAGE}/}" >> ${sfconf} |
324 |
echo "#${i/${IMAGE}/}" >> ${sfconf} |
Lines 320-326
Link Here
|
320 |
} |
327 |
} |
321 |
fi |
328 |
fi |
322 |
else |
329 |
else |
323 |
echo "suidctl feature set but you are lacking a ${sfconf}" |
330 |
eecho "suidctl feature set but you are lacking a ${sfconf}" |
324 |
fi |
331 |
fi |
325 |
done |
332 |
done |
326 |
fi |
333 |
fi |
Lines 336-342
Link Here
|
336 |
# only attempt to label if setfiles is executable |
343 |
# only attempt to label if setfiles is executable |
337 |
# and 'context' is available on selinuxfs. |
344 |
# and 'context' is available on selinuxfs. |
338 |
if [ -f /selinux/context -a -x /usr/sbin/setfiles -a -x /usr/sbin/selinuxconfig ]; then |
345 |
if [ -f /selinux/context -a -x /usr/sbin/setfiles -a -x /usr/sbin/selinuxconfig ]; then |
339 |
echo ">>> Setting SELinux security labels" |
346 |
eecho ">>> Setting SELinux security labels" |
340 |
( |
347 |
( |
341 |
eval "$(/usr/sbin/selinuxconfig)" || \ |
348 |
eval "$(/usr/sbin/selinuxconfig)" || \ |
342 |
die "Failed to determine SELinux policy paths."; |
349 |
die "Failed to determine SELinux policy paths."; |
Lines 348-354
Link Here
|
348 |
else |
355 |
else |
349 |
# nonfatal, since merging can happen outside a SE kernel |
356 |
# nonfatal, since merging can happen outside a SE kernel |
350 |
# like during a recovery situation |
357 |
# like during a recovery situation |
351 |
echo "!!! Unable to set SELinux security labels" |
358 |
eecho "!!! Unable to set SELinux security labels" |
352 |
fi |
359 |
fi |
353 |
fi |
360 |
fi |
354 |
} |
361 |
} |
Lines 368-374
Link Here
|
368 |
fi |
375 |
fi |
369 |
mv -f "${pkg_tmp}" "${pkg_dest}" || die "Failed to move tbz2 to ${pkg_dest}" |
376 |
mv -f "${pkg_tmp}" "${pkg_dest}" || die "Failed to move tbz2 to ${pkg_dest}" |
370 |
ln -sf "../All/${PF}.tbz2" "${PKGDIR}/${CATEGORY}/${PF}.tbz2" || die "Failed to create symlink in ${PKGDIR}/${CATEGORY}" |
377 |
ln -sf "../All/${PF}.tbz2" "${PKGDIR}/${CATEGORY}/${PF}.tbz2" || die "Failed to create symlink in ${PKGDIR}/${CATEGORY}" |
371 |
echo ">>> Done." |
378 |
eecho ">>> Done." |
372 |
cd "${PORTAGE_BUILDDIR}" |
379 |
cd "${PORTAGE_BUILDDIR}" |
373 |
touch .packaged || die "Failed to 'touch .packaged' in ${PORTAGE_BUILDDIR}" |
380 |
touch .packaged || die "Failed to 'touch .packaged' in ${PORTAGE_BUILDDIR}" |
374 |
} |
381 |
} |