Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 334078 Details for
Bug 431092
eclass/pax-utils.eclass: should set xattr based pax markings as well as elf phdr PT_PAX
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Diff of proposed pax-utils.eclass to current version on the tree.
update-pax-utils-for-xattrs.patch (text/plain), 7.70 KB, created by
Anthony Basile
on 2013-01-02 18:10:58 UTC
(
hide
)
Description:
Diff of proposed pax-utils.eclass to current version on the tree.
Filename:
MIME Type:
Creator:
Anthony Basile
Created:
2013-01-02 18:10:58 UTC
Size:
7.70 KB
patch
obsolete
>--- pax-utils.eclass 2013-01-02 13:00:24.000000000 -0500 >+++ /usr/portage/eclass/pax-utils.eclass 2012-04-06 14:31:13.000000000 -0400 >@@ -1,4 +1,4 @@ >-# Copyright 1999-2012 Gentoo Foundation >+# Copyright 1999-2011 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > # $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ > >@@ -8,25 +8,24 @@ > # @AUTHOR: > # Original Author: Kevin F. Quinn <kevquinn@gentoo.org> > # Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> >-# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org> > # @BLURB: functions to provide pax markings > # @DESCRIPTION: >-# > # This eclass provides support for manipulating PaX markings on ELF binaries, >-# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX. >-# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities, >-# deciding which to use depending on what's installed on the build host, and >-# whether we're working with PT_PAX, XATTR_PAX or both. >-# >-# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf >-# to contain either "PT", "XT" or "none". The default is to attempt both >-# PT_PAX and XATTR_PAX. >+# wrapping the use of the paxctl and scanelf utilities. It decides which to >+# use depending on what is installed on the build host, preferring paxctl to >+# scanelf. If paxctl is not installed, we fall back to scanelf since it is >+# always present. However, currently scanelf doesn't do all that paxctl can. >+# >+# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to >+# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the >+# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If >+# PAX_MARKINGS is set to "none", no markings will be made. > > if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then > ___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" > > # Default to PT markings. >-PAX_MARKINGS=${PAX_MARKINGS:="PT XT"} >+PAX_MARKINGS=${PAX_MARKINGS:="PT"} > > # @FUNCTION: pax-mark > # @USAGE: <flags> {<ELF files>} >@@ -34,7 +33,8 @@ > # @DESCRIPTION: > # Marks <ELF files> with provided PaX <flags> > # >-# Flags are passed directly to the utilities unchanged >+# Flags are passed directly to the utilities unchanged. Possible flags at the >+# time of writing, taken from /sbin/paxctl, are: > # > # p: disable PAGEEXEC P: enable PAGEEXEC > # e: disable EMUTRMAP E: enable EMUTRMAP >@@ -44,107 +44,67 @@ > # > # Default flags are 'PeMRS', which are the most restrictive settings. Refer > # to http://pax.grsecurity.net/ for details on what these flags are all about. >+# Do not use the obsolete flag 'x'/'X' which has been deprecated. > # > # Please confirm any relaxation of restrictions with the Gentoo Hardened team. > # Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on > # the bug report. >- > pax-mark() { >- >- local f # loop over paxables >- local flags # pax flags >- local pt_fail=0 pt_failures="" # record PT_PAX failures >- local xt_fail=0 xt_failures="" # record xattr PAX marking failures >- local ret=0 # overal return code of this function >- >- # You can call pax-mark with/out leading '-' on flags >+ local f flags fail=0 failures="" zero_load_alignment >+ # Ignore '-' characters - in particular so that it doesn't matter if >+ # the caller prefixes with - > flags=${1//-} > shift >- >- if has PT ${PAX_MARKINGS}; then >- >- #First try paxctl-ng >- if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then >- einfo "PT PaX marking -${flags}" >- _pax_list_files einfo "$@" >- for f in "$@"; do >- paxctl-ng -L -${flags} "${f}" && continue >- pt_fail=1 >- pt_failures="${pt_failures} ${f}" >- done >- >- #Next try paxctl >- elif type -p paxctl > /dev/null; then >- einfo "PT PaX marking -${flags}" >- _pax_list_files einfo "$@" >- for f in "$@"; do >- # First, try modifying the existing PAX_FLAGS header >- paxctl -q${flags} "${f}" && continue >- # Second, try stealing the (unused under PaX) PT_GNU_STACK header >- paxctl -qc${flags} "${f}" && continue >- # Third, creating a PT_PAX header (works on ET_EXEC) >- paxctl -qC${flags} "${f}" && continue >- pt_fail=1 >- pt_failures="${pt_failures} ${f}" >- done >- >- #Finally fall back on scanelf >- elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then >- einfo "Fallback PaX marking -${flags}" >- _pax_list_files einfo "$@" >- scanelf -Xxz ${flags} "$@" >- >- #We failed to set PT_PAX flags >- elif [[ ${PAX_MARKINGS} != "none" ]]; then >- pt_failures="$*" >- pt_fail=1 >- fi >- >- if [[ ${pt_fail} == 1 ]]; then >- ewarn "Failed to set XT_PAX markings -${flags} for:" >- _pax_list_files ewarn ${pt_failures} >- ret=1 >- fi >+ # Try paxctl, then scanelf. paxctl is preferred. >+ if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then >+ # Try paxctl, the upstream supported tool. >+ einfo "PT PaX marking -${flags}" >+ _pax_list_files einfo "$@" >+ for f in "$@"; do >+ # First, try modifying the existing PAX_FLAGS header >+ paxctl -q${flags} "${f}" && continue >+ # Second, try stealing the (unused under PaX) PT_GNU_STACK header >+ paxctl -qc${flags} "${f}" && continue >+ # Third, try pulling the base down a page, to create space and >+ # insert a PT_GNU_STACK header (works on ET_EXEC) >+ paxctl -qC${flags} "${f}" && continue >+ # >+ # prelink is masked on hardened so we wont use this method. >+ # We're working on a new utiity to try to do the same safely. See >+ # http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary >+ # >+ # Fourth - check if it loads to 0 (probably an ET_DYN) and if so, >+ # try rebasing with prelink first to give paxctl some space to >+ # grow downwards into. >+ #if type -p objdump > /dev/null && type -p prelink > /dev/null; then >+ # zero_load_alignment=$(objdump -p "${f}" | \ >+ # grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \ >+ # sed -e 's/.*align\(.*\)/\1/') >+ # if [[ ${zero_load_alignment} != "" ]]; then >+ # prelink -r $(( 2*(${zero_load_alignment}) )) && >+ # paxctl -qC${flags} "${f}" && continue >+ # fi >+ #fi >+ fail=1 >+ failures="${failures} ${f}" >+ done >+ elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then >+ # Try scanelf, the Gentoo swiss-army knife ELF utility >+ # Currently this sets PT if it can, no option to control what it does. >+ einfo "Fallback PaX marking -${flags}" >+ _pax_list_files einfo "$@" >+ scanelf -Xxz ${flags} "$@" >+ elif [[ ${PAX_MARKINGS} != "none" ]]; then >+ # Out of options! >+ failures="$*" >+ fail=1 > fi >- >- if has XT ${PAX_MARKINGS}; then >- >- #First try paxctl-ng >- if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then >- einfo "XT PaX marking -${flags}" >- _pax_list_files einfo "$@" >- for f in "$@"; do >- paxctl-ng -l -${flags} "${f}" && continue >- xt_fail=1 >- xt_failures="${tx_failures} ${f}" >- done >- >- #Next try setfattr >- elif type -p setfattr > /dev/null; then >- einfo "XT PaX marking -${flags}" >- _pax_list_files einfo "$@" >- for f in "$@"; do >- setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue >- xt_fail=1 >- xt_failures="${tx_failures} ${f}" >- done >- >- #We failed to set PT_PAX flags >- elif [[ ${PAX_MARKINGS} != "none" ]]; then >- pt_failures="$*" >- pt_fail=1 >- fi >- >- if [[ ${xt_fail} == 1 ]]; then >- ewarn "Failed to set XT_PAX markings -${flags} for:" >- _pax_list_files ewarn ${xt_failures} >- ret=1 >- fi >+ if [[ ${fail} == 1 ]]; then >+ ewarn "Failed to set PaX markings -${flags} for:" >+ _pax_list_files ewarn ${failures} >+ ewarn "Executables may be killed by PaX kernels." > fi >- >- [[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels." >- >- return ${ret} >+ return ${fail} > } > > # @FUNCTION: list-paxables
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=334078">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 431092
:
329156
|
331378
|
334076
|
334078
|
338450
|
338452
|
338496
|
338498
