Attachment #334078 for bug #431092




# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $


# @AUTHOR:
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide pax markings
# @DESCRIPTION:
#
# This eclass provides support for manipulating PaX markings on ELF binaries,
# wrapping the use of the paxctl and scanelf utilities.  It decides which to
# use depending on what is installed on the build host, preferring paxctl to
# scanelf.  If paxctl is not installed, we fall back to scanelf since it is
# always present.  However, currently scanelf doesn't do all that paxctl can.
#
# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to
# contain either "PT" or "none".  If PAX_MARKINGS is set to "PT", and the
# necessary utility is installed, the PT_PAX_FLAGS markings will be made.  If
# PAX_MARKINGS is set to "none", no markings will be made.

if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"

# Default to PT markings.
PAX_MARKINGS=${PAX_MARKINGS:="PT"}

# @FUNCTION: pax-mark
# @USAGE: <flags> {<ELF files>}

# @DESCRIPTION:
# Marks <ELF files> with provided PaX <flags>
#
# Flags are passed directly to the utilities unchanged.  Possible flags at the
# time of writing, taken from /sbin/paxctl, are:
#
#	p: disable PAGEEXEC		P: enable PAGEEXEC
#	e: disable EMUTRMAP		E: enable EMUTRMAP

#
# Default flags are 'PeMRS', which are the most restrictive settings.  Refer
# to http://pax.grsecurity.net/ for details on what these flags are all about.
# Do not use the obsolete flag 'x'/'X' which has been deprecated.
#
# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
# the bug report.

pax-mark() {
	local f flags fail=0 failures="" zero_load_alignment
	# Ignore '-' characters - in particular so that it doesn't matter if
	# the caller prefixes with -
	local pt_fail=0 pt_failures=""		# record PT_PAX failures
	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
	local ret=0							# overal return code of this function

	# You can call pax-mark with/out leading '-' on flags
	flags=${1//-}
	shift
	# Try paxctl, then scanelf.  paxctl is preferred.
	if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then
		# Try paxctl, the upstream supported tool.
		einfo "PT PaX marking -${flags}"
		_pax_list_files einfo "$@"
		for f in "$@"; do
			# First, try modifying the existing PAX_FLAGS header
			paxctl -q${flags} "${f}" && continue
			# Second, try stealing the (unused under PaX) PT_GNU_STACK header
			paxctl -qc${flags} "${f}" && continue
			# Third, try pulling the base down a page, to create space and
			# insert a PT_GNU_STACK header (works on ET_EXEC)
			paxctl -qC${flags} "${f}" && continue
			#
			# prelink is masked on hardened so we wont use this method.
			# We're working on a new utiity to try to do the same safely. See
			# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
			#
			# Fourth - check if it loads to 0 (probably an ET_DYN) and if so,
			# try rebasing with prelink first to give paxctl some space to
			# grow downwards into.
			#if type -p objdump > /dev/null && type -p prelink > /dev/null; then
			#	zero_load_alignment=$(objdump -p "${f}" | \
			#		grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \
			#		sed -e 's/.*align\(.*\)/\1/')
			#	if [[ ${zero_load_alignment} != "" ]]; then
			#		prelink -r $(( 2*(${zero_load_alignment}) )) &&
			#		paxctl -qC${flags} "${f}" && continue
			#	fi
			#fi
			fail=1
			failures="${failures} ${f}"
		done
	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
		# Try scanelf, the Gentoo swiss-army knife ELF utility
		# Currently this sets PT if it can, no option to control what it does.
		einfo "Fallback PaX marking -${flags}"
		_pax_list_files einfo "$@"
		scanelf -Xxz ${flags} "$@"
	elif [[ ${PAX_MARKINGS} != "none" ]]; then
		# Out of options!
		failures="$*"
		fail=1
			ret=1
		fi
	fi
	if [[ ${fail} == 1 ]]; then
		ewarn "Failed to set PaX markings -${flags} for:"
		_pax_list_files ewarn ${failures}
		ewarn "Executables may be killed by PaX kernels."
		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
			einfo "XT PaX marking -${flags}"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				paxctl-ng -l -${flags} "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#Next try setfattr
		elif type -p setfattr > /dev/null; then
			einfo "XT PaX marking -${flags}"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#We failed to set PT_PAX flags
		elif [[ ${PAX_MARKINGS} != "none" ]]; then
			pt_failures="$*"
			pt_fail=1
		fi

		if [[ ${xt_fail} == 1 ]]; then
			ewarn "Failed to set XT_PAX markings -${flags} for:"
			_pax_list_files ewarn ${xt_failures}
			ret=1
		fi
	fi
	return ${fail}
	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."

	return ${ret}
}

# @FUNCTION: list-paxables

Return to bug 431092

Lines 1-4 Link Here

(-)pax-utils.eclass (-105 / +65 lines)
1	# Copyright 1999-2012 Gentoo Foundation	1	# Copyright 1999-2011 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2	2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $	3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
4		4
Lines 8-32 Link Here
8	# @AUTHOR:	8	# @AUTHOR:
9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>	9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>	10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
11	# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
12	# @BLURB: functions to provide pax markings	11	# @BLURB: functions to provide pax markings
13	# @DESCRIPTION:	12	# @DESCRIPTION:
14	#
15	# This eclass provides support for manipulating PaX markings on ELF binaries,	13	# This eclass provides support for manipulating PaX markings on ELF binaries,
16	# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.	14	# wrapping the use of the paxctl and scanelf utilities. It decides which to
17	# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,	15	# use depending on what is installed on the build host, preferring paxctl to
18	# deciding which to use depending on what's installed on the build host, and	16	# scanelf. If paxctl is not installed, we fall back to scanelf since it is
19	# whether we're working with PT_PAX, XATTR_PAX or both.	17	# always present. However, currently scanelf doesn't do all that paxctl can.
20	#	18	#
21	# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf	19	# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to
22	# to contain either "PT", "XT" or "none". The default is to attempt both	20	# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the
23	# PT_PAX and XATTR_PAX.	21	# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If
		22	# PAX_MARKINGS is set to "none", no markings will be made.
24		23
25	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then	24	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
26	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"	25	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
27		26
28	# Default to PT markings.	27	# Default to PT markings.
29	PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}	28	PAX_MARKINGS=${PAX_MARKINGS:="PT"}
30		29
31	# @FUNCTION: pax-mark	30	# @FUNCTION: pax-mark
32	# @USAGE: <flags> {<ELF files>}	31	# @USAGE: <flags> {<ELF files>}
Lines 34-40 Link Here
34	# @DESCRIPTION:	33	# @DESCRIPTION:
35	# Marks <ELF files> with provided PaX <flags>	34	# Marks <ELF files> with provided PaX <flags>
36	#	35	#
37	# Flags are passed directly to the utilities unchanged	36	# Flags are passed directly to the utilities unchanged. Possible flags at the
		37	# time of writing, taken from /sbin/paxctl, are:
38	#	38	#
39	# p: disable PAGEEXEC P: enable PAGEEXEC	39	# p: disable PAGEEXEC P: enable PAGEEXEC
40	# e: disable EMUTRMAP E: enable EMUTRMAP	40	# e: disable EMUTRMAP E: enable EMUTRMAP
Lines 44-150 Link Here
44	#	44	#
45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer	45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer
46	# to http://pax.grsecurity.net/ for details on what these flags are all about.	46	# to http://pax.grsecurity.net/ for details on what these flags are all about.
		47	# Do not use the obsolete flag 'x'/'X' which has been deprecated.
47	#	48	#
48	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.	49	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
49	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on	50	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
50	# the bug report.	51	# the bug report.
51
52	pax-mark() {	52	pax-mark() {
53		53	local f flags fail=0 failures="" zero_load_alignment
54	local f # loop over paxables	54	# Ignore '-' characters - in particular so that it doesn't matter if
55	local flags # pax flags	55	# the caller prefixes with -
56	local pt_fail=0 pt_failures="" # record PT_PAX failures
57	local xt_fail=0 xt_failures="" # record xattr PAX marking failures
58	local ret=0 # overal return code of this function
59
60	# You can call pax-mark with/out leading '-' on flags
61	flags=${1//-}	56	flags=${1//-}
62	shift	57	shift
63		58	# Try paxctl, then scanelf. paxctl is preferred.
64	if has PT ${PAX_MARKINGS}; then	59	if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then
65		60	# Try paxctl, the upstream supported tool.
66	#First try paxctl-ng	61	einfo "PT PaX marking -${flags}"
67	if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then	62	_pax_list_files einfo "$@"
68	einfo "PT PaX marking -${flags}"	63	for f in "$@"; do
69	_pax_list_files einfo "$@"	64	# First, try modifying the existing PAX_FLAGS header
70	for f in "$@"; do	65	paxctl -q${flags} "${f}" && continue
71	paxctl-ng -L -${flags} "${f}" && continue	66	# Second, try stealing the (unused under PaX) PT_GNU_STACK header
72	pt_fail=1	67	paxctl -qc${flags} "${f}" && continue
73	pt_failures="${pt_failures} ${f}"	68	# Third, try pulling the base down a page, to create space and
74	done	69	# insert a PT_GNU_STACK header (works on ET_EXEC)
75		70	paxctl -qC${flags} "${f}" && continue
76	#Next try paxctl	71	#
77	elif type -p paxctl > /dev/null; then	72	# prelink is masked on hardened so we wont use this method.
78	einfo "PT PaX marking -${flags}"	73	# We're working on a new utiity to try to do the same safely. See
79	_pax_list_files einfo "$@"	74	# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
80	for f in "$@"; do	75	#
81	# First, try modifying the existing PAX_FLAGS header	76	# Fourth - check if it loads to 0 (probably an ET_DYN) and if so,
82	paxctl -q${flags} "${f}" && continue	77	# try rebasing with prelink first to give paxctl some space to
83	# Second, try stealing the (unused under PaX) PT_GNU_STACK header	78	# grow downwards into.
84	paxctl -qc${flags} "${f}" && continue	79	#if type -p objdump > /dev/null && type -p prelink > /dev/null; then
85	# Third, creating a PT_PAX header (works on ET_EXEC)	80	# zero_load_alignment=$(objdump -p "${f}" \| \
86	paxctl -qC${flags} "${f}" && continue	81	# grep -E '^[[:space:]]LOAD[[:space:]]off[[:space:]]*0x0+[[:space:]]' \| \
87	pt_fail=1	82	# sed -e 's/.align\(.\)/\1/')
88	pt_failures="${pt_failures} ${f}"	83	# if [[ ${zero_load_alignment} != "" ]]; then
89	done	84	# prelink -r $(( 2*(${zero_load_alignment}) )) &&
90		85	# paxctl -qC${flags} "${f}" && continue
91	#Finally fall back on scanelf	86	# fi
92	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then	87	#fi
93	einfo "Fallback PaX marking -${flags}"	88	fail=1
94	_pax_list_files einfo "$@"	89	failures="${failures} ${f}"
95	scanelf -Xxz ${flags} "$@"	90	done
96		91	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
97	#We failed to set PT_PAX flags	92	# Try scanelf, the Gentoo swiss-army knife ELF utility
98	elif [[ ${PAX_MARKINGS} != "none" ]]; then	93	# Currently this sets PT if it can, no option to control what it does.
99	pt_failures="$*"	94	einfo "Fallback PaX marking -${flags}"
100	pt_fail=1	95	_pax_list_files einfo "$@"
101	fi	96	scanelf -Xxz ${flags} "$@"
102		97	elif [[ ${PAX_MARKINGS} != "none" ]]; then
103	if [[ ${pt_fail} == 1 ]]; then	98	# Out of options!
104	ewarn "Failed to set XT_PAX markings -${flags} for:"	99	failures="$*"
105	_pax_list_files ewarn ${pt_failures}	100	fail=1
106	ret=1
107	fi
108	fi	101	fi
109		102	if [[ ${fail} == 1 ]]; then
110	if has XT ${PAX_MARKINGS}; then	103	ewarn "Failed to set PaX markings -${flags} for:"
111		104	_pax_list_files ewarn ${failures}
112	#First try paxctl-ng	105	ewarn "Executables may be killed by PaX kernels."
113	if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
114	einfo "XT PaX marking -${flags}"
115	_pax_list_files einfo "$@"
116	for f in "$@"; do
117	paxctl-ng -l -${flags} "${f}" && continue
118	xt_fail=1
119	xt_failures="${tx_failures} ${f}"
120	done
121
122	#Next try setfattr
123	elif type -p setfattr > /dev/null; then
124	einfo "XT PaX marking -${flags}"
125	_pax_list_files einfo "$@"
126	for f in "$@"; do
127	setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
128	xt_fail=1
129	xt_failures="${tx_failures} ${f}"
130	done
131
132	#We failed to set PT_PAX flags
133	elif [[ ${PAX_MARKINGS} != "none" ]]; then
134	pt_failures="$*"
135	pt_fail=1
136	fi
137
138	if [[ ${xt_fail} == 1 ]]; then
139	ewarn "Failed to set XT_PAX markings -${flags} for:"
140	_pax_list_files ewarn ${xt_failures}
141	ret=1
142	fi
143	fi	106	fi
144		107	return ${fail}
145	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."
146
147	return ${ret}
148	}	108	}
149		109
150	# @FUNCTION: list-paxables	110	# @FUNCTION: list-paxables