1 |
commit: 52850ffd31461646745eb3fddc76c4e7cfb8fe36 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Nov 28 20:46:55 2011 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 28 20:46:55 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=52850ffd |
7 |
|
8 |
eclass/pax-utils.eclass: wrap paxctl-ng |
9 |
|
10 |
--- |
11 |
XT_PAX-howto.txt => HOWTO.txt | 34 ++++++++--- |
12 |
README | 26 ++------ |
13 |
eclass/pax-utils.eclass | 135 +++++++++++++++++++++++++++++++++++++++++ |
14 |
3 files changed, 165 insertions(+), 30 deletions(-) |
15 |
|
16 |
diff --git a/XT_PAX-howto.txt b/HOWTO.txt |
17 |
similarity index 89% |
18 |
rename from XT_PAX-howto.txt |
19 |
rename to HOWTO.txt |
20 |
index 5d1a2a9..e443b76 100644 |
21 |
--- a/XT_PAX-howto.txt |
22 |
+++ b/HOWTO.txt |
23 |
@@ -37,7 +37,14 @@ The goodies are in a branch of the hardened-development overlay: |
24 |
git checkout XT_PAX # switch branches |
25 |
git pull origin XT_PAX # and pull |
26 |
|
27 |
-2. Now let's emerge the stuff we'll need later: |
28 |
+2. We need to override portage's pax-utils.eclass with the overlay's eclass. |
29 |
+ |
30 |
+cat << EOF >> /etc/portage/repos.conf |
31 |
+[DEFAULT] |
32 |
+eclass-overrides = hardened-development |
33 |
+EOF |
34 |
+ |
35 |
+3. Now let's emerge the stuff we'll need later: |
36 |
|
37 |
emerge =sys-devel/binutils-2.21.1-r2 \ # these are all masked so |
38 |
=sys-kernel/xtpax-sources-3.1.1 \ # we'll have to unmask them |
39 |
@@ -53,7 +60,7 @@ The goodies are in a branch of the hardened-development overlay: |
40 |
source /etc/profile # for binutils, if we keep using |
41 |
# the same shell |
42 |
|
43 |
-3. Our version of binutils intentionally excluse the PT_PAX program header from |
44 |
+4. Our version of binutils intentionally excluse the PT_PAX program header from |
45 |
ELF binaries, so let's make sure its really gone |
46 |
|
47 |
echo "int main(){;return 0;}" > test.c ; gcc -o test test.c ; readelf -l test |
48 |
@@ -62,23 +69,22 @@ If you see a PT_PAX header, or possibly one called LOOS+5041580 at the end of th |
49 |
(ie after GNU_RELRO), then something went wrong. |
50 |
|
51 |
|
52 |
-4. To be safe, let's rebuild our entire toolchain. |
53 |
+5. To be safe, let's rebuild our entire toolchain. |
54 |
|
55 |
emerge gcc glibc binutils |
56 |
|
57 |
-5. Then let's rebuild world |
58 |
+6. Then let's rebuild world |
59 |
|
60 |
emerge --keep-going -eq world |
61 |
|
62 |
#packages that were not remerged |
63 |
- nano - manual remerge fixes it |
64 |
grub - manual remerge fails it (still paxmarked) |
65 |
|
66 |
-6. And finally, let's do any post-world rebuild cleanup: |
67 |
+7. And finally, let's do any post-world rebuild cleanup: |
68 |
|
69 |
etc-update |
70 |
|
71 |
-7. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really |
72 |
+8. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really |
73 |
have not PT_PAX header: |
74 |
|
75 |
paxctl-ng -v /bin/* |
76 |
@@ -140,9 +146,19 @@ you want to use. I also recommend xattr support on tmpfs: |
77 |
[*] Squashfs XATTR support |
78 |
... |
79 |
|
80 |
-3. Compile the kernel and boot. |
81 |
+3. Compile the kernel and boot. If you didn't install grub on the MBR before the |
82 |
+migration, do so now, but be extra careful to make sure it was properly pax marked |
83 |
+before runnign it from the command line. paxctl-ng -v /sbin/grub should give |
84 |
+ |
85 |
+/sbin/grub: |
86 |
+ PT_PAX: not found |
87 |
+ XT_PAX: --me-x |
88 |
+ |
89 |
+If it doesn't that may be because the eclass didn't properly pax mark it! Do so |
90 |
+manually if need be: |
91 |
|
92 |
-# I had to reinstall grub to /dev/sda before I could boot |
93 |
+ paxctl-ng -cv /sbin/grub # To create the XT_PAX field |
94 |
+ paxctl-ng -mexv /sbin/grub # To properly mark it |
95 |
|
96 |
-------------------------------------------------------------------------------- |
97 |
|
98 |
|
99 |
diff --git a/README b/README |
100 |
index 5ca81f9..60258a5 100644 |
101 |
--- a/README |
102 |
+++ b/README |
103 |
@@ -1,23 +1,7 @@ |
104 |
-This overlay is for Hardened Development, this is where we can test hardened toolchain, bugfixes, packages, profiles and eclasses before |
105 |
-commiting to the tree. |
106 |
+This is the README only for the XT_PAX branch. See the README in main branch |
107 |
+for information about the entire overlay. |
108 |
|
109 |
-Keep the entire overlay to that of gentoo policy, all functions of the overlay will work there way to the tree, once we reach a state |
110 |
-that is acceptable for use by the users. |
111 |
+This overlay/branch is to test a pure XT_PAX based system, that is a system in |
112 |
+which the pax markins are made *only* in the filesystem extended attributes. |
113 |
+Follow the HOWTO.txt to convert any Gentoo system to a pure XT_PAX based system. |
114 |
|
115 |
-For help on using and testing the overlay please refer to : |
116 |
-Forum tread http://forums.gentoo.org/viewtopic-t-790110.html |
117 |
- |
118 |
-Bugs should be filled on bugs.gentoo.org, please ensure that you make it clear that the bug is |
119 |
-caused or a part of the hardened-dev overlay, if you are unsure file an advanced bug report and |
120 |
-assign to hardened-dev@g.o and someone from dev team will reassign if needed; more |
121 |
-The testing branch is if we need to do major change on this overlay. |
122 |
- |
123 |
-Commiters: |
124 |
-Magnus Granberg (Zorry) <zorry@g.o> |
125 |
-Jory A. Pratt (Anarchy) <anarchy@g.o> |
126 |
-Peter Hjalmarsson (Xake) <xake@×××××××××.net> |
127 |
-Anthony G. Basile (blueness) <blueness@g.o> |
128 |
-Chris Richards (gizmo) <gizmo@×××××××××.com> - SELinux |
129 |
-Sven Vermeulen (SwifT) <sven.vermeulen@××××××.be> - SELinux |
130 |
- |
131 |
-2010-11-25 Magnus Granberg (Zorry) <zorry@g.o> |
132 |
|
133 |
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass |
134 |
new file mode 100644 |
135 |
index 0000000..2ddbf9f |
136 |
--- /dev/null |
137 |
+++ b/eclass/pax-utils.eclass |
138 |
@@ -0,0 +1,135 @@ |
139 |
+# Copyright 1999-2011 Gentoo Foundation |
140 |
+# Distributed under the terms of the GNU General Public License v2 |
141 |
+# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.15 2011/08/22 04:46:32 vapier Exp $ |
142 |
+ |
143 |
+# @ECLASS: pax-utils.eclass |
144 |
+# @MAINTAINER: |
145 |
+# The Gentoo Linux Hardened Team <hardened@g.o> |
146 |
+# @AUTHOR: |
147 |
+# Original Author: Kevin F. Quinn <kevquinn@g.o> |
148 |
+# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@g.o> |
149 |
+# Modifications for XT_PAX markings: Anthony G. Basile <blueness@g.o> |
150 |
+# @BLURB: functions to provide pax markings |
151 |
+# @DESCRIPTION: |
152 |
+# This eclass provides support for manipulating PaX markings on ELF binaries, |
153 |
+# wrapping the use of the paxctl-ng utilities. |
154 |
+# |
155 |
+# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to |
156 |
+# contain either "XT", "PT" or "none". |
157 |
+# |
158 |
+# If PAX_MARKINGS is set to "XT" and paxctl-ng is installed, then both XT_PAX |
159 |
+# and PT_PAX markings will be made, where possible: XT_PAX will not be made if |
160 |
+# the file system doesn't support extended attributes and PT_PAX will not be |
161 |
+# made if the ELF binary doesn't have a PT_PAX header. |
162 |
+# |
163 |
+# If PAX_MARKINGS is setto "PT" and paxctl is installed, then only PT_PAX |
164 |
+# markings will be made. |
165 |
+# |
166 |
+# Finally, if neither utility is found, or PAX_MARKINGS is set to "none", |
167 |
+# then no markings will be made. |
168 |
+# |
169 |
+# Note: unlike the original pax-utils.eclass, we will not try to use paxctl -c |
170 |
+# or paxctl -C to convert or create a PT_PAX program header. Nor will we fall |
171 |
+# back on scanelf. |
172 |
+ |
173 |
+inherit eutils |
174 |
+ |
175 |
+# Default to XT markings. |
176 |
+PAX_MARKINGS=${PAX_MARKINGS:="XT"} |
177 |
+ |
178 |
+# @FUNCTION: pax-mark |
179 |
+# @USAGE: <flags> {<ELF files>} |
180 |
+# @RETURN: Shell true if we succeed, shell false otherwise |
181 |
+# @DESCRIPTION: |
182 |
+# Marks <ELF files> with provided PaX <flags> |
183 |
+# |
184 |
+# Flags are passed directly to the utilities unchanged. Possible flags at the |
185 |
+# time of writing, taken from /usr/sbin/paxctl-ng, are: |
186 |
+# |
187 |
+# p: disable PAGEEXEC P: enable PAGEEXEC |
188 |
+# e: disable EMUTRMAP E: enable EMUTRMAP |
189 |
+# m: disable MPROTECT M: enable MPROTECT |
190 |
+# r: disable RANDMMAP R: enable RANDMMAP |
191 |
+# s: disable SEGMEXEC S: enable SEGMEXEC |
192 |
+# |
193 |
+# Default flags are 'PeMRS', which are the most restrictive settings. |
194 |
+# Do not use the obsolete flag 'x'/'X'. |
195 |
+pax-mark() { |
196 |
+ local f flags fail=0 failures="" zero_load_alignment |
197 |
+ # Remove all dashes from the flags |
198 |
+ flags=${1//-} |
199 |
+ shift |
200 |
+ if type -p paxctl-ng > /dev/null && has XT ${PAX_MARKINGS}; then |
201 |
+ elog "XT PaX marking -${flags}" |
202 |
+ _pax_list_files elog "$@" |
203 |
+ for f in "$@"; do |
204 |
+ paxctl-ng -C "${f}" |
205 |
+ paxctl-ng -${flags} "${f}" && continue |
206 |
+ fail=1 |
207 |
+ failures="${failures} ${f}" |
208 |
+ done |
209 |
+ elif type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then |
210 |
+ elog "PT PaX marking -${flags}" |
211 |
+ _pax_list_files elog "$@" |
212 |
+ for f in "$@"; do |
213 |
+ paxctl -q${flags} "${f}" && continue |
214 |
+ fail=1 |
215 |
+ failures="${failures} ${f}" |
216 |
+ done |
217 |
+ elif [[ ${PAX_MARKINGS} != "none" ]]; then |
218 |
+ failures="$*" |
219 |
+ fail=1 |
220 |
+ fi |
221 |
+ if [[ ${fail} == 1 ]]; then |
222 |
+ ewarn "Failed to set PaX markings -${flags} for:" |
223 |
+ _pax_list_files ewarn ${failures} |
224 |
+ ewarn "Executables may be killed by PaX kernels." |
225 |
+ fi |
226 |
+ return ${fail} |
227 |
+} |
228 |
+ |
229 |
+# @FUNCTION: list-paxables |
230 |
+# @USAGE: {<files>} |
231 |
+# @RETURN: Subset of {<files>} which are ELF executables or shared objects |
232 |
+# @DESCRIPTION: |
233 |
+# Print to stdout all of the <files> that are suitable to have PaX flag |
234 |
+# markings, i.e., filter out the ELF executables or shared objects from a list |
235 |
+# of files. This is useful for passing wild-card lists to pax-mark, although |
236 |
+# in general it is preferable for ebuilds to list precisely which ELFS are to |
237 |
+# be marked. Often not all the ELF installed by a package need remarking. |
238 |
+# @EXAMPLE: |
239 |
+# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*) |
240 |
+list-paxables() { |
241 |
+ file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//' |
242 |
+} |
243 |
+ |
244 |
+# @FUNCTION: host-is-pax |
245 |
+# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise |
246 |
+# @DESCRIPTION: |
247 |
+# This is intended for use where the build process must be modified conditionally |
248 |
+# depending on whether the host is PaX enabled or not. It is not intedened to |
249 |
+# determine whether the final binaries need PaX markings. Note: if procfs is |
250 |
+# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD). |
251 |
+host-is-pax() { |
252 |
+ grep -qs ^PaX: /proc/self/status |
253 |
+} |
254 |
+ |
255 |
+ |
256 |
+# INTERNAL FUNCTIONS |
257 |
+# ------------------ |
258 |
+# |
259 |
+# These functions are for use internally by the eclass - do not use |
260 |
+# them elsewhere as they are not supported (i.e. they may be removed |
261 |
+# or their function may change arbitratily). |
262 |
+ |
263 |
+# Display a list of things, one per line, indented a bit, using the |
264 |
+# display command in $1. |
265 |
+_pax_list_files() { |
266 |
+ local f cmd |
267 |
+ cmd=$1 |
268 |
+ shift |
269 |
+ for f in "$@"; do |
270 |
+ ${cmd} " ${f}" |
271 |
+ done |
272 |
+} |
273 |
+ |