Lines 1-4
Link Here
|
1 |
# Copyright 1999-2011 Gentoo Foundation |
1 |
# Copyright 1999-2012 Gentoo Foundation |
2 |
# Distributed under the terms of the GNU General Public License v2 |
2 |
# Distributed under the terms of the GNU General Public License v2 |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
3 |
# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.18 2012/04/06 18:03:54 blueness Exp $ |
4 |
|
4 |
|
Lines 8-31
Link Here
|
8 |
# @AUTHOR: |
8 |
# @AUTHOR: |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
9 |
# Original Author: Kevin F. Quinn <kevquinn@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
10 |
# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> |
|
|
11 |
# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org> |
11 |
# @BLURB: functions to provide pax markings |
12 |
# @BLURB: functions to provide pax markings |
12 |
# @DESCRIPTION: |
13 |
# @DESCRIPTION: |
|
|
14 |
# |
13 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
15 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
14 |
# wrapping the use of the paxctl and scanelf utilities. It decides which to |
16 |
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX. |
15 |
# use depending on what is installed on the build host, preferring paxctl to |
17 |
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities, |
16 |
# scanelf. If paxctl is not installed, we fall back to scanelf since it is |
18 |
# deciding which to use depending on what's installed on the build host, and |
17 |
# always present. However, currently scanelf doesn't do all that paxctl can. |
19 |
# whether we're working with PT_PAX, XATTR_PAX or both. |
18 |
# |
20 |
# |
19 |
# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to |
21 |
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf |
20 |
# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the |
22 |
# to contain either "PT", "XT" or "none". The default is to attempt both |
21 |
# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If |
23 |
# PT_PAX and XATTR_PAX. |
22 |
# PAX_MARKINGS is set to "none", no markings will be made. |
|
|
23 |
|
24 |
|
24 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
25 |
if [[ ${___ECLASS_ONCE_PAX_UTILS} != "recur -_+^+_- spank" ]] ; then |
25 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
26 |
___ECLASS_ONCE_PAX_UTILS="recur -_+^+_- spank" |
26 |
|
27 |
|
27 |
# Default to PT markings. |
28 |
# Default to PT markings. |
28 |
PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
29 |
PAX_MARKINGS=${PAX_MARKINGS:="PT XT"} |
29 |
|
30 |
|
30 |
# @FUNCTION: pax-mark |
31 |
# @FUNCTION: pax-mark |
31 |
# @USAGE: <flags> {<ELF files>} |
32 |
# @USAGE: <flags> {<ELF files>} |
Lines 33-40
Link Here
|
33 |
# @DESCRIPTION: |
34 |
# @DESCRIPTION: |
34 |
# Marks <ELF files> with provided PaX <flags> |
35 |
# Marks <ELF files> with provided PaX <flags> |
35 |
# |
36 |
# |
36 |
# Flags are passed directly to the utilities unchanged. Possible flags at the |
37 |
# Flags are passed directly to the utilities unchanged |
37 |
# time of writing, taken from /sbin/paxctl, are: |
|
|
38 |
# |
38 |
# |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
39 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
40 |
# e: disable EMUTRMAP E: enable EMUTRMAP |
Lines 44-110
Link Here
|
44 |
# |
44 |
# |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
45 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
46 |
# to http://pax.grsecurity.net/ for details on what these flags are all about. |
47 |
# Do not use the obsolete flag 'x'/'X' which has been deprecated. |
|
|
48 |
# |
47 |
# |
49 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
48 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
50 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
49 |
# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on |
51 |
# the bug report. |
50 |
# the bug report. |
|
|
51 |
|
52 |
|
52 |
pax-mark() { |
53 |
pax-mark() { |
53 |
local f flags fail=0 failures="" zero_load_alignment |
54 |
|
54 |
# Ignore '-' characters - in particular so that it doesn't matter if |
55 |
local f # loop over paxables |
55 |
# the caller prefixes with - |
56 |
local flags # pax flags |
56 |
flags=${1//-} |
57 |
local pt_fail=0 pt_failures="" # record PT_PAX failures |
|
|
58 |
local xt_fail=0 xt_failures="" # record xattr PAX marking failures |
59 |
local ret=0 # overal return code of this function |
60 |
|
61 |
# Only the actual PaX flags and z are accepted |
62 |
# 1. The leading '-' is optional |
63 |
# 2. -C -c only make sense for paxctl, but are unnecessary |
64 |
# because we progressively do -q -qc -qC |
65 |
# 3. z is allowed for the default |
66 |
|
67 |
flags="${1//[!zPpEeMmRrSs]}" |
68 |
[ "${flags}" ] || return 0 |
57 |
shift |
69 |
shift |
58 |
# Try paxctl, then scanelf. paxctl is preferred. |
70 |
|
59 |
if type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then |
71 |
# z = default. For XATTR_PAX, the default is no xattr field at all |
60 |
# Try paxctl, the upstream supported tool. |
72 |
local dodefault="" |
61 |
einfo "PT PaX marking -${flags}" |
73 |
[ "${flags//[!z]}" ] && dodefault="yes" |
62 |
_pax_list_files einfo "$@" |
74 |
|
63 |
for f in "$@"; do |
75 |
if has PT ${PAX_MARKINGS}; then |
64 |
# First, try modifying the existing PAX_FLAGS header |
76 |
|
65 |
paxctl -q${flags} "${f}" && continue |
77 |
#First try paxctl -> this might try to create/convert program headers |
66 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
78 |
if type -p paxctl > /dev/null; then |
67 |
paxctl -qc${flags} "${f}" && continue |
79 |
einfo "PT PaX marking -${flags} with paxctl" |
68 |
# Third, try pulling the base down a page, to create space and |
80 |
_pax_list_files einfo "$@" |
69 |
# insert a PT_GNU_STACK header (works on ET_EXEC) |
81 |
for f in "$@"; do |
70 |
paxctl -qC${flags} "${f}" && continue |
82 |
# First, try modifying the existing PAX_FLAGS header |
71 |
# |
83 |
paxctl -q${flags} "${f}" && continue |
72 |
# prelink is masked on hardened so we wont use this method. |
84 |
# Second, try stealing the (unused under PaX) PT_GNU_STACK header |
73 |
# We're working on a new utiity to try to do the same safely. See |
85 |
paxctl -qc${flags} "${f}" && continue |
74 |
# http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary |
86 |
# Third, creating a PT_PAX header (works on ET_EXEC) |
75 |
# |
87 |
paxctl -qC${flags} "${f}" && continue |
76 |
# Fourth - check if it loads to 0 (probably an ET_DYN) and if so, |
88 |
pt_fail=1 |
77 |
# try rebasing with prelink first to give paxctl some space to |
89 |
pt_failures="${pt_failures} ${f}" |
78 |
# grow downwards into. |
90 |
done |
79 |
#if type -p objdump > /dev/null && type -p prelink > /dev/null; then |
91 |
|
80 |
# zero_load_alignment=$(objdump -p "${f}" | \ |
92 |
#Next try paxctl-ng -> this will not create/convert any program headers |
81 |
# grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \ |
93 |
elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then |
82 |
# sed -e 's/.*align\(.*\)/\1/') |
94 |
einfo "PT PaX marking -${flags} with paxctl-ng" |
83 |
# if [[ ${zero_load_alignment} != "" ]]; then |
95 |
flags="${flags//z}" |
84 |
# prelink -r $(( 2*(${zero_load_alignment}) )) && |
96 |
_pax_list_files einfo "$@" |
85 |
# paxctl -qC${flags} "${f}" && continue |
97 |
for f in "$@"; do |
86 |
# fi |
98 |
[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}" |
87 |
#fi |
99 |
[ "${flags}" ] || continue |
88 |
fail=1 |
100 |
paxctl-ng -L -${flags} "${f}" && continue |
89 |
failures="${failures} ${f}" |
101 |
pt_fail=1 |
90 |
done |
102 |
pt_failures="${pt_failures} ${f}" |
91 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
103 |
done |
92 |
# Try scanelf, the Gentoo swiss-army knife ELF utility |
104 |
|
93 |
# Currently this sets PT if it can, no option to control what it does. |
105 |
#Finally fall back on scanelf |
94 |
einfo "Fallback PaX marking -${flags}" |
106 |
elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
95 |
_pax_list_files einfo "$@" |
107 |
einfo "Fallback PaX marking -${flags} with scanelf" |
96 |
scanelf -Xxz ${flags} "$@" |
108 |
_pax_list_files einfo "$@" |
97 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
109 |
scanelf -Xxz ${flags} "$@" |
98 |
# Out of options! |
110 |
|
99 |
failures="$*" |
111 |
#We failed to set PT_PAX flags |
100 |
fail=1 |
112 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
|
|
113 |
pt_failures="$*" |
114 |
pt_fail=1 |
115 |
fi |
116 |
|
117 |
if [[ ${pt_fail} == 1 ]]; then |
118 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
119 |
_pax_list_files ewarn ${pt_failures} |
120 |
ret=1 |
121 |
fi |
101 |
fi |
122 |
fi |
102 |
if [[ ${fail} == 1 ]]; then |
123 |
|
103 |
ewarn "Failed to set PaX markings -${flags} for:" |
124 |
if has XT ${PAX_MARKINGS}; then |
104 |
_pax_list_files ewarn ${failures} |
125 |
|
105 |
ewarn "Executables may be killed by PaX kernels." |
126 |
flags="${flags//z}" |
|
|
127 |
|
128 |
#First try paxctl-ng |
129 |
if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then |
130 |
einfo "XT PaX marking -${flags} with paxctl-ng" |
131 |
_pax_list_files einfo "$@" |
132 |
for f in "$@"; do |
133 |
[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" |
134 |
[ "${flags}" ] || continue |
135 |
paxctl-ng -l -${flags} "${f}" && continue |
136 |
xt_fail=1 |
137 |
xt_failures="${tx_failures} ${f}" |
138 |
done |
139 |
|
140 |
#Next try setfattr |
141 |
elif type -p setfattr > /dev/null; then |
142 |
[ "${flags//[!Ee]}" ] || flags+="e" # bug 447150 |
143 |
einfo "XT PaX marking -${flags} with setfattr" |
144 |
_pax_list_files einfo "$@" |
145 |
for f in "$@"; do |
146 |
[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" |
147 |
setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue |
148 |
xt_fail=1 |
149 |
xt_failures="${tx_failures} ${f}" |
150 |
done |
151 |
|
152 |
#We failed to set PT_PAX flags |
153 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
154 |
pt_failures="$*" |
155 |
pt_fail=1 |
156 |
fi |
157 |
|
158 |
if [[ ${xt_fail} == 1 ]]; then |
159 |
ewarn "Failed to set XT_PAX markings -${flags} for:" |
160 |
_pax_list_files ewarn ${xt_failures} |
161 |
ret=1 |
162 |
fi |
106 |
fi |
163 |
fi |
107 |
return ${fail} |
164 |
|
|
|
165 |
[[ ${ret} == 1 ]] && ewarn "Executables may be killed by PaX kernels." |
166 |
|
167 |
return ${ret} |
108 |
} |
168 |
} |
109 |
|
169 |
|
110 |
# @FUNCTION: list-paxables |
170 |
# @FUNCTION: list-paxables |