Lines 1-4
Link Here
|
1 |
# Copyright 1999-2012 Gentoo Foundation |
1 |
# Copyright 1999-2011 Gentoo Foundation |
2 |
# Distributed under the terms of the GNU General Public License v2 |
2 |
# Distributed under the terms of the GNU General Public License v2 |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
4 |
|
4 |
|
Lines 8-32
Link Here
|
8 |
# @AUTHOR: |
8 |
# @AUTHOR: |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
11 |
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org> |
|
|
12 |
# @BLURB: functions to provide pax markings |
11 |
# @BLURB: functions to provide pax markings |
13 |
# @DESCRIPTION: |
12 |
# @DESCRIPTION: |
14 |
# |
|
|
15 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
13 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
16 |
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX. |
14 |
# wrapping the use of the paxctl and scanelf utilities. It decides which to |
17 |
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities, |
15 |
# use depending on what is installed on the build host, preferring paxctl to |
18 |
# deciding which to use depending on what's installed on the build host, and |
16 |
# scanelf. If paxctl is not installed, we fall back to scanelf since it is |
19 |
# whether we're working with PT_PAX, XATTR_PAX or both. |
17 |
# always present. However, currently scanelf doesn't do all that paxctl can. |
20 |
# |
18 |
# |
21 |
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf |
19 |
# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to |
22 |
# to contain either "PT", "XT" or "none". The default is to attempt both |
20 |
# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the |
23 |
# PT_PAX and XATTR_PAX. |
21 |
# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If |
|
|
22 |
# PAX_MARKINGS is set to "none", no markings will be made. |
24 |
|
23 |
|
25 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
24 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
26 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
25 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
27 |
|
26 |
|
28 |
# Default to PT markings. |
27 |
# Default to PT markings. |
29 |
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"} |
28 |
PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
30 |
|
29 |
|
31 |
# @FUNCTION: pax-mark |
30 |
# @FUNCTION: pax-mark |
32 |
# @USAGE: <flags> {<ELF files>} |
31 |
# @USAGE: <flags> {<ELF files>} |
Lines 34-40
Link Here
|
34 |
# @DESCRIPTION: |
33 |
# @DESCRIPTION: |
35 |
# Marks <ELF files> with provided PaX <flags> |
34 |
# Marks <ELF files> with provided PaX <flags> |
36 |
# |
35 |
# |
37 |
# Flags are passed directly to the utilities unchanged |
36 |
# Flags are passed directly to the utilities unchanged. Possible flags at the |
|
|
37 |
# time of writing, taken from /sbin/paxctl, are: |
38 |
# |
38 |
# |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
Lines 44-150
Link Here
|
44 |
# |
44 |
# |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
|
|
47 |
# Do not use the obsolete flag 'x'/'X' which has been deprecated. |
47 |
# |
48 |
# |
48 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
49 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
49 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
50 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
50 |
# the bug report. |
51 |
# the bug report. |
51 |
|
|
|
52 |
pax-mark() { |
52 |
pax-mark() { |
53 |
|
53 |
local f flags fail=0 failures="" zero_load_alignment |
54 |
local f # loop over paxables |
54 |
# Ignore '-' characters - in particular so that it doesn't matter if |
55 |
local flags # pax flags |
55 |
# the caller prefixes with - |
56 |
local pt_fail=0 pt_failures="" # record PT_PAX failures |
|
|
57 |
local xt_fail=0 xt_failures="" # record xattr PAX marking failures |
58 |
local ret=0 # overal return code of this function |
59 |
|
60 |
# You can call pax-mark with/out leading '-' on flags |
61 |
flags=${1//-} |
56 |
flags=${1//-} |
62 |
shift |
57 |
shift |
63 |
|
58 |
# Try paxctl, then scanelf. paxctl is preferred. |
64 |
if has PT ${PAX_MARKINGS}; then |
59 |
if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then |
65 |
|
60 |
# Try paxctl, the upstream supported tool. |
66 |
#First try paxctl-ng |
61 |
einfo "PT PaX marking -${flags}" |
67 |
if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then |
62 |
_pax_list_files einfo "$@" |
68 |
einfo "PT PaX marking -${flags}" |
63 |
for f in "$@"; do |
69 |
_pax_list_files einfo "$@" |
64 |
# First, try modifying the existing PAX_FLAGS header |
70 |
for f in "$@"; do |
65 |
paxctl -q${flags} "${f}" && continue |
71 |
paxctl-ng -L -${flags} "${f}" && continue |
66 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
72 |
pt_fail=1 |
67 |
paxctl -qc${flags} "${f}" && continue |
73 |
pt_failures="${pt_failures} ${f}" |
68 |
# Third, try pulling the base down a page, to create space and |
74 |
done |
69 |
# insert a PT_GNU_STACK header (works on ET_EXEC) |
75 |
|
70 |
paxctl -qC${flags} "${f}" && continue |
76 |
#Next try paxctl |
71 |
# |
77 |
elif type -p paxctl > /dev/null; then |
72 |
# prelink is masked on hardened so we wont use this method. |
78 |
einfo "PT PaX marking -${flags}" |
73 |
# We're working on a new utiity to try to do the same safely. See |
79 |
_pax_list_files einfo "$@" |
74 |
# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary |
80 |
for f in "$@"; do |
75 |
# |
81 |
# First, try modifying the existing PAX_FLAGS header |
76 |
# Fourth - check if it loads to 0 (probably an ET_DYN) and if so, |
82 |
paxctl -q${flags} "${f}" && continue |
77 |
# try rebasing with prelink first to give paxctl some space to |
83 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
78 |
# grow downwards into. |
84 |
paxctl -qc${flags} "${f}" && continue |
79 |
#if type -p objdump > /dev/null && type -p prelink > /dev/null; then |
85 |
# Third, creating a PT_PAX header (works on ET_EXEC) |
80 |
# zero_load_alignment=$(objdump -p "${f}" | \ |
86 |
paxctl -qC${flags} "${f}" && continue |
81 |
# grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \ |
87 |
pt_fail=1 |
82 |
# sed -e 's/.*align\(.*\)/\1/') |
88 |
pt_failures="${pt_failures} ${f}" |
83 |
# if [[ ${zero_load_alignment} != "" ]]; then |
89 |
done |
84 |
# prelink -r $(( 2*(${zero_load_alignment}) )) && |
90 |
|
85 |
# paxctl -qC${flags} "${f}" && continue |
91 |
#Finally fall back on scanelf |
86 |
# fi |
92 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
87 |
#fi |
93 |
einfo "Fallback PaX marking -${flags}" |
88 |
fail=1 |
94 |
_pax_list_files einfo "$@" |
89 |
failures="${failures} ${f}" |
95 |
scanelf -Xxz ${flags} "$@" |
90 |
done |
96 |
|
91 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
97 |
#We failed to set PT_PAX flags |
92 |
# Try scanelf, the Gentoo swiss-army knife ELF utility |
98 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
93 |
# Currently this sets PT if it can, no option to control what it does. |
99 |
pt_failures="$*" |
94 |
einfo "Fallback PaX marking -${flags}" |
100 |
pt_fail=1 |
95 |
_pax_list_files einfo "$@" |
101 |
fi |
96 |
scanelf -Xxz ${flags} "$@" |
102 |
|
97 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
103 |
if [[ ${pt_fail} == 1 ]]; then |
98 |
# Out of options! |
104 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
99 |
failures="$*" |
105 |
_pax_list_files ewarn ${pt_failures} |
100 |
fail=1 |
106 |
ret=1 |
|
|
107 |
fi |
108 |
fi |
101 |
fi |
109 |
|
102 |
if [[ ${fail} == 1 ]]; then |
110 |
if has XT ${PAX_MARKINGS}; then |
103 |
ewarn "Failed to set PaX markings -${flags} for:" |
111 |
|
104 |
_pax_list_files ewarn ${failures} |
112 |
#First try paxctl-ng |
105 |
ewarn "Executables may be killed by PaX kernels." |
113 |
if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then |
|
|
114 |
einfo "XT PaX marking -${flags}" |
115 |
_pax_list_files einfo "$@" |
116 |
for f in "$@"; do |
117 |
paxctl-ng -l -${flags} "${f}" && continue |
118 |
xt_fail=1 |
119 |
xt_failures="${tx_failures} ${f}" |
120 |
done |
121 |
|
122 |
#Next try setfattr |
123 |
elif type -p setfattr > /dev/null; then |
124 |
einfo "XT PaX marking -${flags}" |
125 |
_pax_list_files einfo "$@" |
126 |
for f in "$@"; do |
127 |
setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue |
128 |
xt_fail=1 |
129 |
xt_failures="${tx_failures} ${f}" |
130 |
done |
131 |
|
132 |
#We failed to set PT_PAX flags |
133 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
134 |
pt_failures="$*" |
135 |
pt_fail=1 |
136 |
fi |
137 |
|
138 |
if [[ ${xt_fail} == 1 ]]; then |
139 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
140 |
_pax_list_files ewarn ${xt_failures} |
141 |
ret=1 |
142 |
fi |
143 |
fi |
106 |
fi |
144 |
|
107 |
return ${fail} |
145 |
[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels." |
|
|
146 |
|
147 |
return ${ret} |
148 |
} |
108 |
} |
149 |
|
109 |
|
150 |
# @FUNCTION: list-paxables |
110 |
# @FUNCTION: list-paxables |