Lines 1-4
Link Here
|
1 |
# Copyright 1999-2011 Gentoo Foundation |
1 |
# Copyright 1999-2012 Gentoo Foundation |
2 |
# Distributed under the terms of the GNU General Public License v2 |
2 |
# Distributed under the terms of the GNU General Public License v2 |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
4 |
|
4 |
|
Lines 8-31
Link Here
|
8 |
# @AUTHOR: |
8 |
# @AUTHOR: |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
|
|
11 |
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org> |
11 |
# @BLURB: functions to provide pax markings |
12 |
# @BLURB: functions to provide pax markings |
12 |
# @DESCRIPTION: |
13 |
# @DESCRIPTION: |
|
|
14 |
# |
13 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
15 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
14 |
# wrapping the use of the paxctl and scanelf utilities. It decides which to |
16 |
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX. |
15 |
# use depending on what is installed on the build host, preferring paxctl to |
17 |
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities, |
16 |
# scanelf. If paxctl is not installed, we fall back to scanelf since it is |
18 |
# deciding which to use depending on what's installed on the build host, and |
17 |
# always present. However, currently scanelf doesn't do all that paxctl can. |
19 |
# whether we're working with PT_PAX, XATTR_PAX or both. |
18 |
# |
20 |
# |
19 |
# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to |
21 |
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf |
20 |
# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the |
22 |
# to contain either "PT", "XT" or "none". The default is to attempt both |
21 |
# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If |
23 |
# PT_PAX and XATTR_PAX. |
22 |
# PAX_MARKINGS is set to "none", no markings will be made. |
|
|
23 |
|
24 |
|
24 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
25 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
25 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
26 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
26 |
|
27 |
|
27 |
# Default to PT markings. |
28 |
# Default to PT markings. |
28 |
PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
29 |
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"} |
29 |
|
30 |
|
30 |
# @FUNCTION: pax-mark |
31 |
# @FUNCTION: pax-mark |
31 |
# @USAGE: <flags> {<ELF files>} |
32 |
# @USAGE: <flags> {<ELF files>} |
Lines 33-40
Link Here
|
33 |
# @DESCRIPTION: |
34 |
# @DESCRIPTION: |
34 |
# Marks <ELF files> with provided PaX <flags> |
35 |
# Marks <ELF files> with provided PaX <flags> |
35 |
# |
36 |
# |
36 |
# Flags are passed directly to the utilities unchanged. Possible flags at the |
37 |
# Flags are passed directly to the utilities unchanged |
37 |
# time of writing, taken from /sbin/paxctl, are: |
|
|
38 |
# |
38 |
# |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
Lines 44-110
Link Here
|
44 |
# |
44 |
# |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
47 |
# Do not use the obsolete flag 'x'/'X' which has been deprecated. |
|
|
48 |
# |
47 |
# |
49 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
48 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
50 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
49 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
51 |
# the bug report. |
50 |
# the bug report. |
|
|
51 |
|
52 |
|
53 |
|
54 |
# Sanitize out all but the actual pax flags and z |
55 |
# |
56 |
# 1. The leading '-' is irrelevant since it is santized out |
57 |
# |
58 |
# 2. Cc only make sense for paxctl, and even there these are |
59 |
# not needed as we progressively try: |
60 |
# paxctl -q${flags} |
61 |
# paxctl -qc${flags} |
62 |
# paxctl -qC${flags} |
63 |
# So we sanitize them out. |
64 |
# |
65 |
# 3. z is allowed for the default |
66 |
# |
67 |
sanitize-flags() { |
68 |
|
69 |
|
70 |
local flags="$1" |
71 |
local clean="" |
72 |
|
73 |
[[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z" |
74 |
|
75 |
[[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P" |
76 |
[[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p" |
77 |
[[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E" |
78 |
[[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e" |
79 |
[[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M" |
80 |
[[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m" |
81 |
[[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R" |
82 |
[[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r" |
83 |
[[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S" |
84 |
[[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s" |
85 |
|
86 |
echo "$clean" |
87 |
} |
88 |
|
89 |
|
52 |
pax-mark() { |
90 |
pax-mark() { |
53 |
local f flags fail=0 failures="" zero_load_alignment |
91 |
|
54 |
# Ignore '-' characters - in particular so that it doesn't matter if |
92 |
local f # loop over paxables |
55 |
# the caller prefixes with - |
93 |
local flags # pax flags |
56 |
flags=${1//-} |
94 |
local pt_fail=0 pt_failures="" # record PT_PAX failures |
|
|
95 |
local xt_fail=0 xt_failures="" # record xattr PAX marking failures |
96 |
local ret=0 # overal return code of this function |
97 |
|
98 |
flags="$(sanitize-flags $1)" |
57 |
shift |
99 |
shift |
58 |
# Try paxctl, then scanelf. paxctl is preferred. |
100 |
|
59 |
if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then |
101 |
if has PT ${PAX_MARKINGS}; then |
60 |
# Try paxctl, the upstream supported tool. |
102 |
|
61 |
einfo "PT PaX marking -${flags}" |
103 |
#First try paxctl -> this might try to create/convert program headers |
62 |
_pax_list_files einfo "$@" |
104 |
if type -p paxctl > /dev/null; then |
63 |
for f in "$@"; do |
105 |
einfo "PT PaX marking -${flags} with paxctl" |
64 |
# First, try modifying the existing PAX_FLAGS header |
106 |
_pax_list_files einfo "$@" |
65 |
paxctl -q${flags} "${f}" && continue |
107 |
for f in "$@"; do |
66 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
108 |
# First, try modifying the existing PAX_FLAGS header |
67 |
paxctl -qc${flags} "${f}" && continue |
109 |
paxctl -q${flags} "${f}" && continue |
68 |
# Third, try pulling the base down a page, to create space and |
110 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
69 |
# insert a PT_GNU_STACK header (works on ET_EXEC) |
111 |
paxctl -qc${flags} "${f}" && continue |
70 |
paxctl -qC${flags} "${f}" && continue |
112 |
# Third, creating a PT_PAX header (works on ET_EXEC) |
71 |
# |
113 |
paxctl -qC${flags} "${f}" && continue |
72 |
# prelink is masked on hardened so we wont use this method. |
114 |
pt_fail=1 |
73 |
# We're working on a new utiity to try to do the same safely. See |
115 |
pt_failures="${pt_failures} ${f}" |
74 |
# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary |
116 |
done |
75 |
# |
117 |
|
76 |
# Fourth - check if it loads to 0 (probably an ET_DYN) and if so, |
118 |
#Next try paxctl-ng -> this will not create/convert any program headers |
77 |
# try rebasing with prelink first to give paxctl some space to |
119 |
elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then |
78 |
# grow downwards into. |
120 |
einfo "PT PaX marking -${flags} with paxctl-ng" |
79 |
#if type -p objdump > /dev/null && type -p prelink > /dev/null; then |
121 |
_pax_list_files einfo "$@" |
80 |
# zero_load_alignment=$(objdump -p "${f}" | \ |
122 |
for f in "$@"; do |
81 |
# grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \ |
123 |
paxctl-ng -L -${flags} "${f}" && continue |
82 |
# sed -e 's/.*align\(.*\)/\1/') |
124 |
pt_fail=1 |
83 |
# if [[ ${zero_load_alignment} != "" ]]; then |
125 |
pt_failures="${pt_failures} ${f}" |
84 |
# prelink -r $(( 2*(${zero_load_alignment}) )) && |
126 |
done |
85 |
# paxctl -qC${flags} "${f}" && continue |
127 |
|
86 |
# fi |
128 |
#Finally fall back on scanelf |
87 |
#fi |
129 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
88 |
fail=1 |
130 |
einfo "Fallback PaX marking -${flags} with scanelf" |
89 |
failures="${failures} ${f}" |
131 |
_pax_list_files einfo "$@" |
90 |
done |
132 |
scanelf -Xxz ${flags} "$@" |
91 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
133 |
|
92 |
# Try scanelf, the Gentoo swiss-army knife ELF utility |
134 |
#We failed to set PT_PAX flags |
93 |
# Currently this sets PT if it can, no option to control what it does. |
135 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
94 |
einfo "Fallback PaX marking -${flags}" |
136 |
pt_failures="$*" |
95 |
_pax_list_files einfo "$@" |
137 |
pt_fail=1 |
96 |
scanelf -Xxz ${flags} "$@" |
138 |
fi |
97 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
139 |
|
98 |
# Out of options! |
140 |
if [[ ${pt_fail} == 1 ]]; then |
99 |
failures="$*" |
141 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
100 |
fail=1 |
142 |
_pax_list_files ewarn ${pt_failures} |
|
|
143 |
ret=1 |
144 |
fi |
101 |
fi |
145 |
fi |
102 |
if [[ ${fail} == 1 ]]; then |
146 |
|
103 |
ewarn "Failed to set PaX markings -${flags} for:" |
147 |
if has XT ${PAX_MARKINGS}; then |
104 |
_pax_list_files ewarn ${failures} |
148 |
|
105 |
ewarn "Executables may be killed by PaX kernels." |
149 |
# z = default. For XATTR_PAX, the default is no xattr field at all |
|
|
150 |
local dodefault="" |
151 |
if [[ "${flags}" != "${flags/z/}" ]]; then |
152 |
flags="${flags/z/}" |
153 |
dodefault="yes" |
154 |
fi |
155 |
|
156 |
#First try paxctl-ng |
157 |
if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then |
158 |
einfo "XT PaX marking -${flags} with paxctl-ng" |
159 |
_pax_list_files einfo "$@" |
160 |
for f in "$@"; do |
161 |
[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" |
162 |
paxctl-ng -l -${flags} "${f}" && continue |
163 |
xt_fail=1 |
164 |
xt_failures="${tx_failures} ${f}" |
165 |
done |
166 |
|
167 |
#Next try setfattr |
168 |
elif type -p setfattr > /dev/null; then |
169 |
einfo "XT PaX marking -${flags} with setfattr" |
170 |
_pax_list_files einfo "$@" |
171 |
for f in "$@"; do |
172 |
[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" |
173 |
setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue |
174 |
xt_fail=1 |
175 |
xt_failures="${tx_failures} ${f}" |
176 |
done |
177 |
|
178 |
#We failed to set PT_PAX flags |
179 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
180 |
pt_failures="$*" |
181 |
pt_fail=1 |
182 |
fi |
183 |
|
184 |
if [[ ${xt_fail} == 1 ]]; then |
185 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
186 |
_pax_list_files ewarn ${xt_failures} |
187 |
ret=1 |
188 |
fi |
106 |
fi |
189 |
fi |
107 |
return ${fail} |
190 |
|
|
|
191 |
[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels." |
192 |
|
193 |
return ${ret} |
108 |
} |
194 |
} |
109 |
|
195 |
|
110 |
# @FUNCTION: list-paxables |
196 |
# @FUNCTION: list-paxables |