Bug 431092

Summary:	eclass/pax-utils.eclass: should set xattr based pax markings as well as elf phdr PT_PAX
Product:	Gentoo Linux	Reporter:	Anthony Basile <blueness>
Component:	Eclasses	Assignee:	Anthony Basile <blueness>
Status:	RESOLVED FIXED
Severity:	normal	CC:	andrew.bugs, hardened-kernel+disabled, hardened, kingjon3377, mjo, nikoli, pageexec
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	445334, 445948, 446518, 447150, 447616, 456656
Bug Blocks:	427888
Attachments:	Proposed update to pax-util.eclass oracle-jdk-bin-1.7.0.9-build.log Update to the proposed eclass. Diff of proposed pax-utils.eclass to current version on the tree. Proposed eclass. Diff of proposed pax-utils.eclass to current version on the tree. Proposed eclass. Diff of proposed pax-utils.eclass to current version on the tree.

Description Anthony Basile gentoo-dev

2012-08-12 14:54:02 UTC

Currently the eclass intelligently looks for paxctl first, then failing that scanelf to set the PT_PAX flags.

With both xattr and PT_PAX flags we need to think of a new logic because, if we move towards removing the PT_PAX phdr from our elfs, then we can have situations where the user's system can

1) support both xattrs (on all necessary filesystems) and PT_PAX markings

2) support only xattr

3) support only PT_PAX

4) support none in which case pax marking is not possible.  (A pax enabled kernel will automatically enforce the defaults).

The tools we have are:

1) paxctl-ng which can set both xattrs and PT_PAX 

2) The plugin pypax.so which can set both xattrs and PT_PAX

3) setfattr/getfatt which can set only xattrs

4) paxctl which can set only PT_PAX

5) scanelf which can set only PT_PAX

Comment 1 Anthony Basile gentoo-dev

2012-11-11 00:37:19 UTC

Created attachment 329156 [details]
Proposed update to pax-util.eclass

This eclass depends on >=sys-apps/elfix-0.6.0 which I just added to the tree.  To get backward compat working nicely I had to add another feature to paxctl-ng which allows one to set *only* PT_PAX flags or XT_PAX flags, respectively paxctl-ng -L and paxctl-ng -l.  So it will be a while before those are stabilized.  In the mean time, hardened@ can review it.  After 30 days when elfix-0.6.0 (or better) is stabilized, I'll email gentoo-dev@ with this proposal.

Comment 2 iGentoo 2012-12-04 07:23:51 UTC

Created attachment 331378 [details]
oracle-jdk-bin-1.7.0.9-build.log

java-vm_set-pax-markings failed!

Comment 3 Anthony Basile gentoo-dev

2012-12-04 10:31:10 UTC

(In reply to comment #2)
> Created attachment 331378 [details]
> oracle-jdk-bin-1.7.0.9-build.log
> 
> java-vm_set-pax-markings failed!

This is the wrong bug.  Please read the bugs carefully and make sure your issue is related to the bug.

Comment 4 SpanKY gentoo-dev

2013-01-02 17:43:02 UTC

Comment on attachment 329156 [details]
Proposed update to pax-util.eclass

be nice to get a diff here

i guess we'll need to update scanelf too ?

Comment 5 Anthony Basile gentoo-dev

2013-01-02 18:04:21 UTC

Created attachment 334076 [details]
Update to the proposed eclass.

This update addresses bug #447616 with >=sys-apps/elfix-0.8.0

Comment 6 Anthony Basile gentoo-dev

2013-01-02 18:10:58 UTC

Created attachment 334078 [details, diff]
Diff of proposed pax-utils.eclass to current version on the tree.

We do not need to touch scanelf.  The logic goes something like this:

1) If we want to set PT_PAX, then

   a) first see if paxctl-ng exists and can do PT_PAX markings (paxctl-ng -L)
   b) if it doesn't exist/work, fall back on paxctl
   c) if paxctl doesn't exist fall back on scanelf

2) If we want to set XATTR_PAX then

   a) first see if paxctl-ng exists and can do XATTR_PAX markings (paxctl-ng -l)
   b) if it doesn't exist/work, fall back on setfattr

If we exhaust possibilities, then ewarn.

paxctl-ng is part of sys-fs/elfix.  The git repo for the code and other goodies are at 

    http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary

Comment 7 Anthony Basile gentoo-dev

2013-01-02 18:20:23 UTC

(In reply to comment #2)
> Created attachment 331378 [details]
> oracle-jdk-bin-1.7.0.9-build.log
> 
> java-vm_set-pax-markings failed!

@Alphat-PC, I'm very sorry!  You're report is related, I confused your issue with something else.

Can you please test with the latest proposed pax-util.eclass with >=sys-apps/elfix-0.8.0.  I did at my end and it works on oracle-jdk-bin.

Comment 8 Anthony Basile gentoo-dev

2013-02-10 01:45:19 UTC

I had to update the eclass to address bug #445948.  I will attach the new proposed eclass and a diff to the current.  The rewrite is extensive so I'm not so sure the diff is useful.

Comment 9 Anthony Basile gentoo-dev

2013-02-10 01:46:01 UTC

Created attachment 338450 [details, diff]
Proposed eclass.

Comment 10 Anthony Basile gentoo-dev

2013-02-10 01:47:05 UTC

Created attachment 338452 [details, diff]
Diff of proposed pax-utils.eclass to current version on the tree.

Comment 11 Anthony Basile gentoo-dev

2013-02-10 01:52:14 UTC

Actually I realized as I updated that I can shorten my sanitize-flags() to something like

    for f in z P p E e M m R r S s ; do
       [[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
    done

Comment 12 Anthony Basile gentoo-dev

2013-02-10 12:35:48 UTC

Created attachment 338496 [details]
Proposed eclass.

Alphat-PC showed me an even better bashism that works.

Comment 13 Anthony Basile gentoo-dev

2013-02-10 12:37:28 UTC

Created attachment 338498 [details, diff]
Diff of proposed pax-utils.eclass to current version on the tree.

Comment 14 Anthony Basile gentoo-dev

2013-04-05 02:10:12 UTC

pax-utils.eclass has been updated on the tree.  Please open separate bug reports for any problems. (This bug was just abut getting it into the tree.)