Attachment #338498 for bug #431092




# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $


# @AUTHOR:
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide pax markings
# @DESCRIPTION:
#
# This eclass provides support for manipulating PaX markings on ELF binaries,
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
# deciding which to use depending on what's installed on the build host, and
# whether we're working with PT_PAX, XATTR_PAX or both.
#
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
# to contain either "PT", "XT" or "none".  The default is to attempt both
# PT_PAX and XATTR_PAX.
# PAX_MARKINGS is set to "none", no markings will be made.

if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"

# Default to PT markings.
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}

# @FUNCTION: pax-mark
# @USAGE: <flags> {<ELF files>}

# @DESCRIPTION:
# Marks <ELF files> with provided PaX <flags>
#
# Flags are passed directly to the utilities unchanged
# time of writing, taken from /sbin/paxctl, are:
#
#	p: disable PAGEEXEC		P: enable PAGEEXEC
#	e: disable EMUTRMAP		E: enable EMUTRMAP

#
# Default flags are 'PeMRS', which are the most restrictive settings.  Refer
# to http://pax.grsecurity.net/ for details on what these flags are all about.
# Do not use the obsolete flag 'x'/'X' which has been deprecated.
#
# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
# the bug report.


pax-mark() {

	local f								# loop over paxables
	local flags							# pax flags
	local pt_fail=0 pt_failures=""		# record PT_PAX failures
	local xt_fail=0 xt_failures=""		# record xattr PAX marking failures
	local ret=0							# overal return code of this function

	# Only the actual PaX flags and z are accepted
	# 1. The leading '-' is optional
	# 2. -C -c only make sense for paxctl, but are unnecessary
	#    because we progressively do -q -qc -qC
	# 3. z is allowed for the default

	flags="${1//[!zPpEeMmRrSs]}"
	[ "${flags}" ] || return 0
	shift

	# z = default. For XATTR_PAX, the default is no xattr field at all
	local dodefault=""
	[ "${flags//[!z]}" ] && dodefault="yes"

	if has PT ${PAX_MARKINGS}; then

		#First try paxctl -> this might try to create/convert program headers
		if type -p paxctl > /dev/null; then
			einfo "PT PaX marking -${flags} with paxctl"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				# First, try modifying the existing PAX_FLAGS header
				paxctl -q${flags} "${f}" && continue
				# Second, try stealing the (unused under PaX) PT_GNU_STACK header
				paxctl -qc${flags} "${f}" && continue
				# Third, creating a PT_PAX header (works on ET_EXEC)
				paxctl -qC${flags} "${f}" && continue
				pt_fail=1
				pt_failures="${pt_failures} ${f}"
			done

		#Next try paxctl-ng -> this will not create/convert any program headers
		elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
			einfo "PT PaX marking -${flags} with paxctl-ng"
			flags="${flags//z}"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
				[ "${flags}" ] || continue
				paxctl-ng -L -${flags} "${f}" && continue
				pt_fail=1
				pt_failures="${pt_failures} ${f}"
			done

		#Finally fall back on scanelf
		elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
			einfo "Fallback PaX marking -${flags} with scanelf"
			_pax_list_files einfo "$@"
			scanelf -Xxz ${flags} "$@"

		#We failed to set PT_PAX flags
		elif [[ ${PAX_MARKINGS} != "none" ]]; then
			pt_failures="$*"
			pt_fail=1
		fi

		if [[ ${pt_fail} == 1 ]]; then
			ewarn "Failed to set XT_PAX markings -${flags} for:"
			_pax_list_files ewarn ${pt_failures}
			ret=1
		fi
	fi

	if has XT ${PAX_MARKINGS}; then

		flags="${flags//z}"

		#First try paxctl-ng
		if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
			einfo "XT PaX marking -${flags} with paxctl-ng"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
				[ "${flags}" ] || continue
				paxctl-ng -l -${flags} "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#Next try setfattr
		elif type -p setfattr > /dev/null; then
			[ "${flags//[!Ee]}" ] || flags+="e" # bug 447150
			einfo "XT PaX marking -${flags} with setfattr"
			_pax_list_files einfo "$@"
			for f in "$@"; do
				[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
				setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
				xt_fail=1
				xt_failures="${tx_failures} ${f}"
			done

		#We failed to set PT_PAX flags
		elif [[ ${PAX_MARKINGS} != "none" ]]; then
			pt_failures="$*"
			pt_fail=1
		fi

		if [[ ${xt_fail} == 1 ]]; then
			ewarn "Failed to set XT_PAX markings -${flags} for:"
			_pax_list_files ewarn ${xt_failures}
			ret=1
		fi
	fi

	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."

	return ${ret}
}

# @FUNCTION: list-paxables

Return to bug 431092

Lines 1-4 Link Here

(-)/usr/portage/eclass/pax-utils.eclass (-66 / +126 lines)
1	# Copyright 1999-2011 Gentoo Foundation	1	# Copyright 1999-2012 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2	2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $	3	# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $
4		4
Lines 8-31 Link Here
8	# @AUTHOR:	8	# @AUTHOR:
9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>	9	# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>	10	# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
		11	# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org>
11	# @BLURB: functions to provide pax markings	12	# @BLURB: functions to provide pax markings
12	# @DESCRIPTION:	13	# @DESCRIPTION:
		14	#
13	# This eclass provides support for manipulating PaX markings on ELF binaries,	15	# This eclass provides support for manipulating PaX markings on ELF binaries,
14	# wrapping the use of the paxctl and scanelf utilities. It decides which to	16	# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
15	# use depending on what is installed on the build host, preferring paxctl to	17	# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
16	# scanelf. If paxctl is not installed, we fall back to scanelf since it is	18	# deciding which to use depending on what's installed on the build host, and
17	# always present. However, currently scanelf doesn't do all that paxctl can.	19	# whether we're working with PT_PAX, XATTR_PAX or both.
18	#	20	#
19	# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to	21	# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
20	# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the	22	# to contain either "PT", "XT" or "none". The default is to attempt both
21	# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If	23	# PT_PAX and XATTR_PAX.
22	# PAX_MARKINGS is set to "none", no markings will be made.
23		24
24	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then	25	if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then
25	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"	26	___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank"
26		27
27	# Default to PT markings.	28	# Default to PT markings.
28	PAX_MARKINGS=${PAX_MARKINGS:="PT"}	29	PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
29		30
30	# @FUNCTION: pax-mark	31	# @FUNCTION: pax-mark
31	# @USAGE: <flags> {<ELF files>}	32	# @USAGE: <flags> {<ELF files>}
Lines 33-40 Link Here
33	# @DESCRIPTION:	34	# @DESCRIPTION:
34	# Marks <ELF files> with provided PaX <flags>	35	# Marks <ELF files> with provided PaX <flags>
35	#	36	#
36	# Flags are passed directly to the utilities unchanged. Possible flags at the	37	# Flags are passed directly to the utilities unchanged
37	# time of writing, taken from /sbin/paxctl, are:
38	#	38	#
39	# p: disable PAGEEXEC P: enable PAGEEXEC	39	# p: disable PAGEEXEC P: enable PAGEEXEC
40	# e: disable EMUTRMAP E: enable EMUTRMAP	40	# e: disable EMUTRMAP E: enable EMUTRMAP
Lines 44-110 Link Here
44	#	44	#
45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer	45	# Default flags are 'PeMRS', which are the most restrictive settings. Refer
46	# to http://pax.grsecurity.net/ for details on what these flags are all about.	46	# to http://pax.grsecurity.net/ for details on what these flags are all about.
47	# Do not use the obsolete flag 'x'/'X' which has been deprecated.
48	#	47	#
49	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.	48	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
50	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on	49	# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
51	# the bug report.	50	# the bug report.
		51
		52
52	pax-mark() {	53	pax-mark() {
53	local f flags fail=0 failures="" zero_load_alignment	54
54	# Ignore '-' characters - in particular so that it doesn't matter if	55	local f # loop over paxables
55	# the caller prefixes with -	56	local flags # pax flags
56	flags=${1//-}	57	local pt_fail=0 pt_failures="" # record PT_PAX failures
		58	local xt_fail=0 xt_failures="" # record xattr PAX marking failures
		59	local ret=0 # overal return code of this function
		60
		61	# Only the actual PaX flags and z are accepted
		62	# 1. The leading '-' is optional
		63	# 2. -C -c only make sense for paxctl, but are unnecessary
		64	# because we progressively do -q -qc -qC
		65	# 3. z is allowed for the default
		66
		67	flags="${1//[!zPpEeMmRrSs]}"
		68	[ "${flags}" ] \|\| return 0
57	shift	69	shift
58	# Try paxctl, then scanelf. paxctl is preferred.	70
59	if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then	71	# z = default. For XATTR_PAX, the default is no xattr field at all
60	# Try paxctl, the upstream supported tool.	72	local dodefault=""
61	einfo "PT PaX marking -${flags}"	73	[ "${flags//[!z]}" ] && dodefault="yes"
62	_pax_list_files einfo "$@"	74
63	for f in "$@"; do	75	if has PT ${PAX_MARKINGS}; then
64	# First, try modifying the existing PAX_FLAGS header	76
65	paxctl -q${flags} "${f}" && continue	77	#First try paxctl -> this might try to create/convert program headers
66	# Second, try stealing the (unused under PaX) PT_GNU_STACK header	78	if type -p paxctl > /dev/null; then
67	paxctl -qc${flags} "${f}" && continue	79	einfo "PT PaX marking -${flags} with paxctl"
68	# Third, try pulling the base down a page, to create space and	80	_pax_list_files einfo "$@"
69	# insert a PT_GNU_STACK header (works on ET_EXEC)	81	for f in "$@"; do
70	paxctl -qC${flags} "${f}" && continue	82	# First, try modifying the existing PAX_FLAGS header
71	#	83	paxctl -q${flags} "${f}" && continue
72	# prelink is masked on hardened so we wont use this method.	84	# Second, try stealing the (unused under PaX) PT_GNU_STACK header
73	# We're working on a new utiity to try to do the same safely. See	85	paxctl -qc${flags} "${f}" && continue
74	# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary	86	# Third, creating a PT_PAX header (works on ET_EXEC)
75	#	87	paxctl -qC${flags} "${f}" && continue
76	# Fourth - check if it loads to 0 (probably an ET_DYN) and if so,	88	pt_fail=1
77	# try rebasing with prelink first to give paxctl some space to	89	pt_failures="${pt_failures} ${f}"
78	# grow downwards into.	90	done
79	#if type -p objdump > /dev/null && type -p prelink > /dev/null; then	91
80	# zero_load_alignment=$(objdump -p "${f}" \| \	92	#Next try paxctl-ng -> this will not create/convert any program headers
81	# grep -E '^[[:space:]]LOAD[[:space:]]off[[:space:]]*0x0+[[:space:]]' \| \	93	elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then
82	# sed -e 's/.align\(.\)/\1/')	94	einfo "PT PaX marking -${flags} with paxctl-ng"
83	# if [[ ${zero_load_alignment} != "" ]]; then	95	flags="${flags//z}"
84	# prelink -r $(( 2*(${zero_load_alignment}) )) &&	96	_pax_list_files einfo "$@"
85	# paxctl -qC${flags} "${f}" && continue	97	for f in "$@"; do
86	# fi	98	[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}"
87	#fi	99	[ "${flags}" ] \|\| continue
88	fail=1	100	paxctl-ng -L -${flags} "${f}" && continue
89	failures="${failures} ${f}"	101	pt_fail=1
90	done	102	pt_failures="${pt_failures} ${f}"
91	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then	103	done
92	# Try scanelf, the Gentoo swiss-army knife ELF utility	104
93	# Currently this sets PT if it can, no option to control what it does.	105	#Finally fall back on scanelf
94	einfo "Fallback PaX marking -${flags}"	106	elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
95	_pax_list_files einfo "$@"	107	einfo "Fallback PaX marking -${flags} with scanelf"
96	scanelf -Xxz ${flags} "$@"	108	_pax_list_files einfo "$@"
97	elif [[ ${PAX_MARKINGS} != "none" ]]; then	109	scanelf -Xxz ${flags} "$@"
98	# Out of options!	110
99	failures="$*"	111	#We failed to set PT_PAX flags
100	fail=1	112	elif [[ ${PAX_MARKINGS} != "none" ]]; then
		113	pt_failures="$*"
		114	pt_fail=1
		115	fi
		116
		117	if [[ ${pt_fail} == 1 ]]; then
		118	ewarn "Failed to set XT_PAX markings -${flags} for:"
		119	_pax_list_files ewarn ${pt_failures}
		120	ret=1
		121	fi
101	fi	122	fi
102	if [[ ${fail} == 1 ]]; then	123
103	ewarn "Failed to set PaX markings -${flags} for:"	124	if has XT ${PAX_MARKINGS}; then
104	_pax_list_files ewarn ${failures}	125
105	ewarn "Executables may be killed by PaX kernels."	126	flags="${flags//z}"
		127
		128	#First try paxctl-ng
		129	if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then
		130	einfo "XT PaX marking -${flags} with paxctl-ng"
		131	_pax_list_files einfo "$@"
		132	for f in "$@"; do
		133	[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}"
		134	[ "${flags}" ] \|\| continue
		135	paxctl-ng -l -${flags} "${f}" && continue
		136	xt_fail=1
		137	xt_failures="${tx_failures} ${f}"
		138	done
		139
		140	#Next try setfattr
		141	elif type -p setfattr > /dev/null; then
		142	[ "${flags//[!Ee]}" ] \|\| flags+="e" # bug 447150
		143	einfo "XT PaX marking -${flags} with setfattr"
		144	_pax_list_files einfo "$@"
		145	for f in "$@"; do
		146	[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}"
		147	setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue
		148	xt_fail=1
		149	xt_failures="${tx_failures} ${f}"
		150	done
		151
		152	#We failed to set PT_PAX flags
		153	elif [[ ${PAX_MARKINGS} != "none" ]]; then
		154	pt_failures="$*"
		155	pt_fail=1
		156	fi
		157
		158	if [[ ${xt_fail} == 1 ]]; then
		159	ewarn "Failed to set XT_PAX markings -${flags} for:"
		160	_pax_list_files ewarn ${xt_failures}
		161	ret=1
		162	fi
106	fi	163	fi
107	return ${fail}	164
		165	[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels."
		166
		167	return ${ret}
108	}	168	}
109		169
110	# @FUNCTION: list-paxables	170	# @FUNCTION: list-paxables