Attachment #338452 for bug #431092




# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $


# @AUTHOR:
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide pax markings
# @DESCRIPTION:
#
# This eclass provides support for manipulating PaX markings on ELF binaries,
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
# deciding which to use depending on what's installed on the build host, and
# whether we're working with PT_PAX, XATTR_PAX or both.
#
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
# to contain either "PT", "XT" or "none".  The default is to attempt both
# PT_PAX and XATTR_PAX.
# PAX_MARKINGS is set to "none", no markings will be made.

if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"

# Default to PT markings.
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}

# @FUNCTION: pax-mark
# @USAGE: <flags> {<ELF files>}

# @DESCRIPTION:
# Marks <ELF files> with provided PaX <flags>
#
# Flags are passed directly to the utilities unchanged
# time of writing, taken from /sbin/paxctl, are:
#
#	p: disable PAGEEXEC		P: enable PAGEEXEC
#	e: disable EMUTRMAP		E: enable EMUTRMAP

#
# Default flags are 'PeMRS', which are the most restrictive settings.  Refer
# to http://pax.grsecurity.net/ for details on what these flags are all about.
# Do not use the obsolete flag 'x'/'X' which has been deprecated.
#
# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
# the bug report.



# Sanitize out all but the actual pax flags and z 
#
# 1. The leading '-' is irrelevant since it is santized out
#
# 2. Cc only make sense for paxctl, and even there these are
#    not needed as we progressively try:
#        paxctl -q${flags}
#        paxctl -qc${flags}
#        paxctl -qC${flags}
#    So we sanitize them out.
#
# 3. z is allowed for the default
#
sanitize-flags() {


        local flags="$1"
        local clean=""

        [[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"

        [[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
        [[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
        [[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
        [[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
        [[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
        [[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
        [[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
        [[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
        [[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
        [[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"

        echo "$clean"
}


pax-mark() {

	local f								# loop over paxables
	local flags							# pax flags
	local pt_fail=0 pt_failures=""		# record PT_PAX failures
	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
	local ret=0							# overal return code of this function

	flags="$(sanitize-flags $1)"
	shift

	if has PT ${PAX_MARKINGS}; then

		#First try paxctl -> this might try to create/convert program headers
		if type -p paxctl > /dev/null; then
			einfo "PT PaX marking -${flags} with paxctl"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				# First, try modifying the existing PAX_FLAGS header
				paxctl -q${flags} "${f}" && continue
				# Second, try stealing the (unused under PaX) PT_GNU_STACK header
				paxctl -qc${flags} "${f}" && continue
				# Third, creating a PT_PAX header (works on ET_EXEC)
				paxctl -qC${flags} "${f}" && continue
				pt_fail=1
				pt_failures="${pt_failures} ${f}"
			done

		#Next try paxctl-ng -> this will not create/convert any program headers
		elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
			einfo "PT PaX marking -${flags} with paxctl-ng"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				paxctl-ng -L -${flags} "${f}" && continue
				pt_fail=1
				pt_failures="${pt_failures} ${f}"
			done

		#Finally fall back on scanelf
		elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
			einfo "Fallback PaX marking -${flags} with scanelf"
			_pax_list_files einfo "$@"
			scanelf -Xxz ${flags} "$@"

		#We failed to set PT_PAX flags
		elif [[ ${PAX_MARKINGS} != "none" ]]; then
			pt_failures="$*"
			pt_fail=1
		fi

		if [[ ${pt_fail} == 1 ]]; then
			ewarn "Failed to set XT_PAX markings -${flags} for:"
			_pax_list_files ewarn ${pt_failures}
			ret=1
		fi
	fi

	if has XT ${PAX_MARKINGS}; then

		# z = default. For XATTR_PAX, the default is no xattr field at all
		local dodefault=""
		if [[ "${flags}" != "${flags/z/}" ]]; then
			flags="${flags/z/}"
			dodefault="yes"
		fi

		#First try paxctl-ng
		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
			einfo "XT PaX marking -${flags} with paxctl-ng"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
				paxctl-ng -l -${flags} "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#Next try setfattr
		elif type -p setfattr > /dev/null; then
			einfo "XT PaX marking -${flags} with setfattr"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
				setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#We failed to set PT_PAX flags
		elif [[ ${PAX_MARKINGS} != "none" ]]; then
			pt_failures="$*"
			pt_fail=1
		fi

		if [[ ${xt_fail} == 1 ]]; then
			ewarn "Failed to set XT_PAX markings -${flags} for:"
			_pax_list_files ewarn ${xt_failures}
			ret=1
		fi
	fi

	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."

	return ${ret}
}

# @FUNCTION: list-paxables

Return to bug 431092

Lines 1-4 Link Here

(-)/usr/portage/eclass/pax-utils.eclass (-66 / +152 lines)
1	# Copyright 1999-2011 Gentoo Foundation	1	# Copyright 1999-2012 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2	2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $	3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
4		4
Lines 8-31 Link Here
8	# @AUTHOR:	8	# @AUTHOR:
9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>	9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>	10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
		11	# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
11	# @BLURB: functions to provide pax markings	12	# @BLURB: functions to provide pax markings
12	# @DESCRIPTION:	13	# @DESCRIPTION:
		14	#
13	# This eclass provides support for manipulating PaX markings on ELF binaries,	15	# This eclass provides support for manipulating PaX markings on ELF binaries,
14	# wrapping the use of the paxctl and scanelf utilities. It decides which to	16	# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
15	# use depending on what is installed on the build host, preferring paxctl to	17	# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
16	# scanelf. If paxctl is not installed, we fall back to scanelf since it is	18	# deciding which to use depending on what's installed on the build host, and
17	# always present. However, currently scanelf doesn't do all that paxctl can.	19	# whether we're working with PT_PAX, XATTR_PAX or both.
18	#	20	#
19	# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to	21	# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
20	# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the	22	# to contain either "PT", "XT" or "none". The default is to attempt both
21	# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If	23	# PT_PAX and XATTR_PAX.
22	# PAX_MARKINGS is set to "none", no markings will be made.
23		24
24	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then	25	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
25	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"	26	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
26		27
27	# Default to PT markings.	28	# Default to PT markings.
28	PAX_MARKINGS=${PAX_MARKINGS:="PT"}	29	PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
29		30
30	# @FUNCTION: pax-mark	31	# @FUNCTION: pax-mark
31	# @USAGE: <flags> {<ELF files>}	32	# @USAGE: <flags> {<ELF files>}
Lines 33-40 Link Here
33	# @DESCRIPTION:	34	# @DESCRIPTION:
34	# Marks <ELF files> with provided PaX <flags>	35	# Marks <ELF files> with provided PaX <flags>
35	#	36	#
36	# Flags are passed directly to the utilities unchanged. Possible flags at the	37	# Flags are passed directly to the utilities unchanged
37	# time of writing, taken from /sbin/paxctl, are:
38	#	38	#
39	# p: disable PAGEEXEC P: enable PAGEEXEC	39	# p: disable PAGEEXEC P: enable PAGEEXEC
40	# e: disable EMUTRMAP E: enable EMUTRMAP	40	# e: disable EMUTRMAP E: enable EMUTRMAP
Lines 44-110 Link Here
44	#	44	#
45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer	45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer
46	# to http://pax.grsecurity.net/ for details on what these flags are all about.	46	# to http://pax.grsecurity.net/ for details on what these flags are all about.
47	# Do not use the obsolete flag 'x'/'X' which has been deprecated.
48	#	47	#
49	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.	48	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
50	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on	49	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
51	# the bug report.	50	# the bug report.
		51
		52
		53
		54	# Sanitize out all but the actual pax flags and z
		55	#
		56	# 1. The leading '-' is irrelevant since it is santized out
		57	#
		58	# 2. Cc only make sense for paxctl, and even there these are
		59	# not needed as we progressively try:
		60	# paxctl -q${flags}
		61	# paxctl -qc${flags}
		62	# paxctl -qC${flags}
		63	# So we sanitize them out.
		64	#
		65	# 3. z is allowed for the default
		66	#
		67	sanitize-flags() {
		68
		69
		70	local flags="$1"
		71	local clean=""
		72
		73	[[ "${flags}" != "${flags/z/}" ]] && clean="${clean}z"
		74
		75	[[ "${flags}" != "${flags/P/}" ]] && clean="${clean}P"
		76	[[ "${flags}" != "${flags/p/}" ]] && clean="${clean}p"
		77	[[ "${flags}" != "${flags/E/}" ]] && clean="${clean}E"
		78	[[ "${flags}" != "${flags/e/}" ]] && clean="${clean}e"
		79	[[ "${flags}" != "${flags/M/}" ]] && clean="${clean}M"
		80	[[ "${flags}" != "${flags/m/}" ]] && clean="${clean}m"
		81	[[ "${flags}" != "${flags/R/}" ]] && clean="${clean}R"
		82	[[ "${flags}" != "${flags/r/}" ]] && clean="${clean}r"
		83	[[ "${flags}" != "${flags/S/}" ]] && clean="${clean}S"
		84	[[ "${flags}" != "${flags/s/}" ]] && clean="${clean}s"
		85
		86	echo "$clean"
		87	}
		88
		89
52	pax-mark() {	90	pax-mark() {
53	local f flags fail=0 failures="" zero_load_alignment	91
54	# Ignore '-' characters - in particular so that it doesn't matter if	92	local f # loop over paxables
55	# the caller prefixes with -	93	local flags # pax flags
56	flags=${1//-}	94	local pt_fail=0 pt_failures="" # record PT_PAX failures
		95	local xt_fail=0 xt_failures="" # record xattr PAX marking failures
		96	local ret=0 # overal return code of this function
		97
		98	flags="$(sanitize-flags $1)"
57	shift	99	shift
58	# Try paxctl, then scanelf. paxctl is preferred.	100
59	if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then	101	if has PT ${PAX_MARKINGS}; then
60	# Try paxctl, the upstream supported tool.	102
61	einfo "PT PaX marking -${flags}"	103	#First try paxctl -> this might try to create/convert program headers
62	_pax_list_files einfo "$@"	104	if type -p paxctl > /dev/null; then
63	for f in "$@"; do	105	einfo "PT PaX marking -${flags} with paxctl"
64	# First, try modifying the existing PAX_FLAGS header	106	_pax_list_files einfo "$@"
65	paxctl -q${flags} "${f}" && continue	107	for f in "$@"; do
66	# Second, try stealing the (unused under PaX) PT_GNU_STACK header	108	# First, try modifying the existing PAX_FLAGS header
67	paxctl -qc${flags} "${f}" && continue	109	paxctl -q${flags} "${f}" && continue
68	# Third, try pulling the base down a page, to create space and	110	# Second, try stealing the (unused under PaX) PT_GNU_STACK header
69	# insert a PT_GNU_STACK header (works on ET_EXEC)	111	paxctl -qc${flags} "${f}" && continue
70	paxctl -qC${flags} "${f}" && continue	112	# Third, creating a PT_PAX header (works on ET_EXEC)
71	#	113	paxctl -qC${flags} "${f}" && continue
72	# prelink is masked on hardened so we wont use this method.	114	pt_fail=1
73	# We're working on a new utiity to try to do the same safely. See	115	pt_failures="${pt_failures} ${f}"
74	# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary	116	done
75	#	117
76	# Fourth - check if it loads to 0 (probably an ET_DYN) and if so,	118	#Next try paxctl-ng -> this will not create/convert any program headers
77	# try rebasing with prelink first to give paxctl some space to	119	elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
78	# grow downwards into.	120	einfo "PT PaX marking -${flags} with paxctl-ng"
79	#if type -p objdump > /dev/null && type -p prelink > /dev/null; then	121	_pax_list_files einfo "$@"
80	# zero_load_alignment=$(objdump -p "${f}" \| \	122	for f in "$@"; do
81	# grep -E '^[[:space:]]LOAD[[:space:]]off[[:space:]]*0x0+[[:space:]]' \| \	123	paxctl-ng -L -${flags} "${f}" && continue
82	# sed -e 's/.align\(.\)/\1/')	124	pt_fail=1
83	# if [[ ${zero_load_alignment} != "" ]]; then	125	pt_failures="${pt_failures} ${f}"
84	# prelink -r $(( 2*(${zero_load_alignment}) )) &&	126	done
85	# paxctl -qC${flags} "${f}" && continue	127
86	# fi	128	#Finally fall back on scanelf
87	#fi	129	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
88	fail=1	130	einfo "Fallback PaX marking -${flags} with scanelf"
89	failures="${failures} ${f}"	131	_pax_list_files einfo "$@"
90	done	132	scanelf -Xxz ${flags} "$@"
91	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then	133
92	# Try scanelf, the Gentoo swiss-army knife ELF utility	134	#We failed to set PT_PAX flags
93	# Currently this sets PT if it can, no option to control what it does.	135	elif [[ ${PAX_MARKINGS} != "none" ]]; then
94	einfo "Fallback PaX marking -${flags}"	136	pt_failures="$*"
95	_pax_list_files einfo "$@"	137	pt_fail=1
96	scanelf -Xxz ${flags} "$@"	138	fi
97	elif [[ ${PAX_MARKINGS} != "none" ]]; then	139
98	# Out of options!	140	if [[ ${pt_fail} == 1 ]]; then
99	failures="$*"	141	ewarn "Failed to set XT_PAX markings -${flags} for:"
100	fail=1	142	_pax_list_files ewarn ${pt_failures}
		143	ret=1
		144	fi
101	fi	145	fi
102	if [[ ${fail} == 1 ]]; then	146
103	ewarn "Failed to set PaX markings -${flags} for:"	147	if has XT ${PAX_MARKINGS}; then
104	_pax_list_files ewarn ${failures}	148
105	ewarn "Executables may be killed by PaX kernels."	149	# z = default. For XATTR_PAX, the default is no xattr field at all
		150	local dodefault=""
		151	if [[ "${flags}" != "${flags/z/}" ]]; then
		152	flags="${flags/z/}"
		153	dodefault="yes"
		154	fi
		155
		156	#First try paxctl-ng
		157	if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
		158	einfo "XT PaX marking -${flags} with paxctl-ng"
		159	_pax_list_files einfo "$@"
		160	for f in "$@"; do
		161	[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
		162	paxctl-ng -l -${flags} "${f}" && continue
		163	xt_fail=1
		164	xt_failures="${tx_failures} ${f}"
		165	done
		166
		167	#Next try setfattr
		168	elif type -p setfattr > /dev/null; then
		169	einfo "XT PaX marking -${flags} with setfattr"
		170	_pax_list_files einfo "$@"
		171	for f in "$@"; do
		172	[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
		173	setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
		174	xt_fail=1
		175	xt_failures="${tx_failures} ${f}"
		176	done
		177
		178	#We failed to set PT_PAX flags
		179	elif [[ ${PAX_MARKINGS} != "none" ]]; then
		180	pt_failures="$*"
		181	pt_fail=1
		182	fi
		183
		184	if [[ ${xt_fail} == 1 ]]; then
		185	ewarn "Failed to set XT_PAX markings -${flags} for:"
		186	_pax_list_files ewarn ${xt_failures}
		187	ret=1
		188	fi
106	fi	189	fi
107	return ${fail}	190
		191	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."
		192
		193	return ${ret}
108	}	194	}
109		195
110	# @FUNCTION: list-paxables	196	# @FUNCTION: list-paxables