447616 – pax-utils.eclass from hardened-dev assumes that paxctl-ng supports pt_pax

Bug 447616 - pax-utils.eclass from hardened-dev assumes that paxctl-ng supports pt_pax

Summary: pax-utils.eclass from hardened-dev assumes that paxctl-ng supports pt_pax

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	431092
	Show dependency tree

Reported:	2012-12-17 17:01 UTC by Amadeusz Sławiński
Modified:	2013-02-10 14:24 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Sławiński 2012-12-17 17:01:00 UTC

eclass seems to just check if paxctl-ng is installed but not if it is usable (ie build with pt_pax support)

[ebuild   R    ] dev-python/pypax-0.7.0  USE="xtpax -ptpax" 0 kB
[ebuild   R    ] sys-apps/elfix-0.7.0  USE="xtpax -ptpax {-test}" 0 kB

For example with valgrind pt_pax flags are incorrect:

 * PT PaX marking -m
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/cachegrind-amd64-linux
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/callgrind-amd64-linux
...
 * XT PaX marking -m
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/cachegrind-amd64-linux
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/callgrind-amd64-linux
...


# paxctl-ng -v /usr/lib64/valgrind/callgrind-amd64-linux
/usr/lib64/valgrind/callgrind-amd64-linux:
	XT_PAX: -em--

# paxctl -v /usr/lib64/valgrind/callgrind-amd64-linux 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/lib64/valgrind/callgrind-amd64-linux]
	RANDEXEC is disabled
	EMUTRAMP is disabled

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux 
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XT_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux    
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	RANDEXEC is disabled
	EMUTRAMP is disabled


Reproducible: Always

Comment 1 Anthony Basile gentoo-dev

2012-12-17 17:42:00 UTC

(In reply to comment #0)
> eclass seems to just check if paxctl-ng is installed but not if it is usable
> (ie build with pt_pax support)

good point thanks.

Comment 2 Anthony Basile gentoo-dev

2012-12-30 12:36:38 UTC

(In reply to comment #1)
> (In reply to comment #0)
> > eclass seems to just check if paxctl-ng is installed but not if it is usable
> > (ie build with pt_pax support)
> 
> good point thanks.

Please test the eclass I just put on the hardened-dev overlay with =sys-apps/elfix-0.8.0 which is ~arch right now.

Comment 3 Amadeusz Sławiński 2012-12-31 13:01:19 UTC

Looks like it works

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XATTR_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled

Comment 4 Anthony Basile gentoo-dev

2013-02-10 01:40:10 UTC

(In reply to comment #3)
> Looks like it works
> 
> # paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
> /usr/lib64/valgrind/cachegrind-amd64-linux:
> 	XATTR_PAX: -em--
> 
> # paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux 
> PaX control v0.7
> Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team
> <pageexec@freemail.hu>
> 
> - PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
> 	MPROTECT is disabled
> 	RANDEXEC is disabled
> 	EMUTRAMP is disabled

I've had to update the eclass for bug #445948.  It works for me.  If you have the chance, can you test again.  Use elfix-0.8.1 and the eclass from the hardened-dev overlay at

http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=fdc7769e014e3e4de8ebd0ae8896a1a83dc47c03;hb=3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b

Comment 5 Amadeusz Sławiński 2013-02-10 14:14:55 UTC

[ebuild   R    ] sys-apps/elfix-0.8.1  USE="xtpax -ptpax" 0 kB

It still works fine

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XATTR_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled

Comment 6 Anthony Basile gentoo-dev

2013-02-10 14:24:31 UTC

Thanks