[gentoo-commits] proj/hardened-dev:XT_PAX commit in: /, eclass/ - gentoo-commits

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-dev:XT_PAX commit in: /, eclass/
Date:	Mon, 28 Nov 2011 20:47:11
Message-Id:	`52850ffd31461646745eb3fddc76c4e7cfb8fe36.blueness@gentoo`

1

commit:     52850ffd31461646745eb3fddc76c4e7cfb8fe36

2

Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

3

AuthorDate: Mon Nov 28 20:46:55 2011 +0000

4

Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>

5

CommitDate: Mon Nov 28 20:46:55 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=52850ffd

7

8

eclass/pax-utils.eclass: wrap paxctl-ng

9

10

---

11

 XT_PAX-howto.txt => HOWTO.txt |   34 ++++++++---

12

 README                        |   26 ++------

13

 eclass/pax-utils.eclass       |  135 +++++++++++++++++++++++++++++++++++++++++

14

 3 files changed, 165 insertions(+), 30 deletions(-)

15

16

diff --git a/XT_PAX-howto.txt b/HOWTO.txt

17

similarity index 89%

18

rename from XT_PAX-howto.txt

19

rename to HOWTO.txt

20

index 5d1a2a9..e443b76 100644

21

--- a/XT_PAX-howto.txt

22

+++ b/HOWTO.txt

23

@@ -37,7 +37,14 @@ The goodies are in a branch of the hardened-development overlay:

24

 	git checkout XT_PAX				# switch branches

25

 	git pull origin XT_PAX				# and pull

26

27

-2. Now let's emerge the stuff we'll need later:

28

+2. We need to override portage's pax-utils.eclass with the overlay's eclass.

29

+

30

+cat << EOF >> /etc/portage/repos.conf

31

+[DEFAULT]

32

+eclass-overrides = hardened-development

33

+EOF

34

+

35

+3. Now let's emerge the stuff we'll need later:

36

37

 	emerge =sys-devel/binutils-2.21.1-r2 \		# these are all masked so

38

 		=sys-kernel/xtpax-sources-3.1.1 \	# we'll have to unmask them

39

@@ -53,7 +60,7 @@ The goodies are in a branch of the hardened-development overlay:

40

 	source /etc/profile				# for binutils, if we keep using

41

 							# the same shell

42

43

-3. Our version of binutils intentionally excluse the PT_PAX program header from

44

+4. Our version of binutils intentionally excluse the PT_PAX program header from

45

 ELF binaries, so let's make sure its really gone

46

47

 	echo "int main(){;return 0;}" > test.c ; gcc -o test test.c ; readelf -l test

48

@@ -62,23 +69,22 @@ If you see a PT_PAX header, or possibly one called LOOS+5041580 at the end of th

49

 (ie after GNU_RELRO), then something went wrong.

50

51

52

-4. To be safe, let's rebuild our entire toolchain.

53

+5. To be safe, let's rebuild our entire toolchain.

54

55

 	emerge gcc glibc binutils

56

57

-5. Then let's rebuild world

58

+6. Then let's rebuild world

59

60

 	emerge --keep-going -eq world

61

62

 #packages that were not remerged

63

-	nano - manual remerge fixes it

64

 	grub - manual remerge fails it (still paxmarked)

65

66

-6. And finally, let's do any post-world rebuild cleanup:

67

+7. And finally, let's do any post-world rebuild cleanup:

68

69

 	etc-update

70

71

-7. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really

72

+8. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really

73

 have not PT_PAX header:

74

75

 	paxctl-ng -v /bin/*

76

@@ -140,9 +146,19 @@ you want to use.  I also recommend xattr support on tmpfs:

77

 			[*]     Squashfs XATTR support

78

...

79

80

-3. Compile the kernel and boot.

81

+3. Compile the kernel and boot.  If you didn't install grub on the MBR before the

82

+migration, do so now, but be extra careful to make sure it was properly pax marked

83

+before runnign it from the command line.  paxctl-ng -v /sbin/grub should give

84

+

85

+/sbin/grub:

86

+	PT_PAX: not found

87

+	XT_PAX: --me-x

88

+

89

+If it doesn't that may be because the eclass didn't properly pax mark it!  Do so

90

+manually if need be:

91

92

-# I had to reinstall grub to /dev/sda before I could boot

93

+	paxctl-ng -cv /sbin/grub	# To create the XT_PAX field

94

+	paxctl-ng -mexv /sbin/grub	# To properly mark it

95

96

 --------------------------------------------------------------------------------

97

98

99

diff --git a/README b/README

100

index 5ca81f9..60258a5 100644

101

--- a/README

102

+++ b/README

103

@@ -1,23 +1,7 @@

104

-This overlay is for Hardened Development, this is where we can test hardened toolchain, bugfixes, packages, profiles and eclasses before

105

-commiting to the tree.

106

+This is the README only for the XT_PAX branch.  See the README in main branch

107

+for information about the entire overlay.

108

109

-Keep the entire overlay to that of gentoo policy, all functions of the overlay will work there way to the tree, once we reach a state

110

-that is acceptable for use by the users.

111

+This overlay/branch is to test a pure XT_PAX based system, that is a system in

112

+which the pax markins are made *only* in the filesystem extended attributes.

113

+Follow the HOWTO.txt to convert any Gentoo system to a pure XT_PAX based system.

114

115

-For help on using and testing the overlay please refer to :

116

-Forum tread http://forums.gentoo.org/viewtopic-t-790110.html

117

-

118

-Bugs should be filled on bugs.gentoo.org, please ensure that you make it clear that the bug is

119

-caused or a part of the hardened-dev overlay, if you are unsure file an advanced bug report and 

120

-assign to hardened-dev@g.o and someone from dev team will reassign if needed; more 

121

-The testing branch is if we need to do major change on this overlay.

122

-

123

-Commiters:

124

-Magnus Granberg		(Zorry)			<zorry@g.o>

125

-Jory A. Pratt		(Anarchy)		<anarchy@g.o>

126

-Peter Hjalmarsson	(Xake)			<xake@×××××××××.net>

127

-Anthony G. Basile	(blueness)		<blueness@g.o>

128

-Chris Richards		(gizmo)			<gizmo@×××××××××.com> - SELinux

129

-Sven Vermeulen		(SwifT)			<sven.vermeulen@××××××.be> - SELinux

130

-

131

-2010-11-25 Magnus Granberg (Zorry) <zorry@g.o>

132

133

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass

134

new file mode 100644

135

index 0000000..2ddbf9f

136

--- /dev/null

137

+++ b/eclass/pax-utils.eclass

138

@@ -0,0 +1,135 @@

139

+# Copyright 1999-2011 Gentoo Foundation

140

+# Distributed under the terms of the GNU General Public License v2

141

+# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.15 2011/08/22 04:46:32 vapier Exp $

142

+

143

+# @ECLASS: pax-utils.eclass

144

+# @MAINTAINER:

145

+# The Gentoo Linux Hardened Team <hardened@g.o>

146

+# @AUTHOR:

147

+# Original Author: Kevin F. Quinn <kevquinn@g.o>

148

+# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@g.o>

149

+# Modifications for XT_PAX markings: Anthony G. Basile <blueness@g.o>

150

+# @BLURB: functions to provide pax markings

151

+# @DESCRIPTION:

152

+# This eclass provides support for manipulating PaX markings on ELF binaries,

153

+# wrapping the use of the paxctl-ng utilities.

154

+#

155

+# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to

156

+# contain either "XT", "PT" or "none".

157

+#

158

+# If PAX_MARKINGS is set to "XT" and paxctl-ng is installed, then both XT_PAX

159

+# and PT_PAX markings will be made, where possible: XT_PAX will not be made if

160

+# the file system doesn't support extended attributes and PT_PAX will not be

161

+# made if the ELF binary doesn't have a PT_PAX header.

162

+#

163

+# If PAX_MARKINGS is setto "PT" and paxctl is installed, then only PT_PAX

164

+# markings will be made.

165

+#

166

+# Finally, if neither utility is found, or PAX_MARKINGS is set to "none",

167

+# then no markings will be made.

168

+#

169

+# Note: unlike the original pax-utils.eclass, we will not try to use paxctl -c

170

+# or paxctl -C to convert or create a PT_PAX program header.  Nor will we fall

171

+# back on scanelf.

172

+

173

+inherit eutils

174

+

175

+# Default to XT markings.

176

+PAX_MARKINGS=${PAX_MARKINGS:="XT"}

177

+

178

+# @FUNCTION: pax-mark

179

+# @USAGE: <flags> {<ELF files>}

180

+# @RETURN: Shell true if we succeed, shell false otherwise

181

+# @DESCRIPTION:

182

+# Marks <ELF files> with provided PaX <flags>

183

+#

184

+# Flags are passed directly to the utilities unchanged.  Possible flags at the

185

+# time of writing, taken from /usr/sbin/paxctl-ng, are:

186

+#

187

+#	p: disable PAGEEXEC		P: enable PAGEEXEC

188

+#	e: disable EMUTRMAP		E: enable EMUTRMAP

189

+#	m: disable MPROTECT		M: enable MPROTECT

190

+#	r: disable RANDMMAP		R: enable RANDMMAP

191

+#	s: disable SEGMEXEC		S: enable SEGMEXEC

192

+#

193

+# Default flags are 'PeMRS', which are the most restrictive settings.

194

+# Do not use the obsolete flag 'x'/'X'.

195

+pax-mark() {

196

+	local f flags fail=0 failures="" zero_load_alignment

197

+	# Remove all dashes from the flags

198

+	flags=${1//-}

199

+	shift

200

+	if type -p paxctl-ng > /dev/null && has XT ${PAX_MARKINGS}; then

201

+		elog "XT PaX marking -${flags}"

202

+		_pax_list_files elog "$@"

203

+		for f in "$@"; do

204

+			paxctl-ng -C "${f}"

205

+			paxctl-ng -${flags} "${f}" && continue

206

+			fail=1

207

+			failures="${failures} ${f}"

208

+		done

209

+	elif type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then

210

+		elog "PT PaX marking -${flags}"

211

+		_pax_list_files elog "$@"

212

+		for f in "$@"; do

213

+			paxctl -q${flags} "${f}" && continue

214

+			fail=1

215

+			failures="${failures} ${f}"

216

+		done

217

+	elif [[ ${PAX_MARKINGS} != "none" ]]; then

218

+		failures="$*"

219

+		fail=1

220

+	fi

221

+	if [[ ${fail} == 1 ]]; then

222

+		ewarn "Failed to set PaX markings -${flags} for:"

223

+		_pax_list_files ewarn ${failures}

224

+		ewarn "Executables may be killed by PaX kernels."

225

+	fi

226

+	return ${fail}

227

+}

228

+

229

+# @FUNCTION: list-paxables

230

+# @USAGE: {<files>}

231

+# @RETURN: Subset of {<files>} which are ELF executables or shared objects

232

+# @DESCRIPTION:

233

+# Print to stdout all of the <files> that are suitable to have PaX flag

234

+# markings, i.e., filter out the ELF executables or shared objects from a list

235

+# of files.  This is useful for passing wild-card lists to pax-mark, although

236

+# in general it is preferable for ebuilds to list precisely which ELFS are to

237

+# be marked.  Often not all the ELF installed by a package need remarking.

238

+# @EXAMPLE:

239

+# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)

240

+list-paxables() {

241

+	file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'

242

+}

243

+

244

+# @FUNCTION: host-is-pax

245

+# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise

246

+# @DESCRIPTION:

247

+# This is intended for use where the build process must be modified conditionally

248

+# depending on whether the host is PaX enabled or not.  It is not intedened to

249

+# determine whether the final binaries need PaX markings.  Note: if procfs is

250

+# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD).

251

+host-is-pax() {

252

+	grep -qs ^PaX: /proc/self/status

253

+}

254

+

255

+

256

+# INTERNAL FUNCTIONS

257

+# ------------------

258

+#

259

+# These functions are for use internally by the eclass - do not use

260

+# them elsewhere as they are not supported (i.e. they may be removed

261

+# or their function may change arbitratily).

262

+

263

+# Display a list of things, one per line, indented a bit, using the

264

+# display command in $1.

265

+_pax_list_files() {

266

+	local f cmd

267

+	cmd=$1

268

+	shift

269

+	for f in "$@"; do

270

+		${cmd} "     ${f}"

271

+	done

272

+}

273

+

1	commit: 52850ffd31461646745eb3fddc76c4e7cfb8fe36
2	Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3	AuthorDate: Mon Nov 28 20:46:55 2011 +0000
4	Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5	CommitDate: Mon Nov 28 20:46:55 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=52850ffd
7
8	eclass/pax-utils.eclass: wrap paxctl-ng
9
10	---
11	XT_PAX-howto.txt => HOWTO.txt \| 34 ++++++++---
12	README \| 26 ++------
13	eclass/pax-utils.eclass \| 135 +++++++++++++++++++++++++++++++++++++++++
14	3 files changed, 165 insertions(+), 30 deletions(-)
15
16	diff --git a/XT_PAX-howto.txt b/HOWTO.txt
17	similarity index 89%
18	rename from XT_PAX-howto.txt
19	rename to HOWTO.txt
20	index 5d1a2a9..e443b76 100644
21	--- a/XT_PAX-howto.txt
22	+++ b/HOWTO.txt
23	@@ -37,7 +37,14 @@ The goodies are in a branch of the hardened-development overlay:
24	git checkout XT_PAX # switch branches
25	git pull origin XT_PAX # and pull
26
27	-2. Now let's emerge the stuff we'll need later:
28	+2. We need to override portage's pax-utils.eclass with the overlay's eclass.
29	+
30	+cat << EOF >> /etc/portage/repos.conf
31	+[DEFAULT]
32	+eclass-overrides = hardened-development
33	+EOF
34	+
35	+3. Now let's emerge the stuff we'll need later:
36
37	emerge =sys-devel/binutils-2.21.1-r2 \ # these are all masked so
38	=sys-kernel/xtpax-sources-3.1.1 \ # we'll have to unmask them
39	@@ -53,7 +60,7 @@ The goodies are in a branch of the hardened-development overlay:
40	source /etc/profile # for binutils, if we keep using
41	# the same shell
42
43	-3. Our version of binutils intentionally excluse the PT_PAX program header from
44	+4. Our version of binutils intentionally excluse the PT_PAX program header from
45	ELF binaries, so let's make sure its really gone
46
47	echo "int main(){;return 0;}" > test.c ; gcc -o test test.c ; readelf -l test
48	@@ -62,23 +69,22 @@ If you see a PT_PAX header, or possibly one called LOOS+5041580 at the end of th
49	(ie after GNU_RELRO), then something went wrong.
50
51
52	-4. To be safe, let's rebuild our entire toolchain.
53	+5. To be safe, let's rebuild our entire toolchain.
54
55	emerge gcc glibc binutils
56
57	-5. Then let's rebuild world
58	+6. Then let's rebuild world
59
60	emerge --keep-going -eq world
61
62	#packages that were not remerged
63	- nano - manual remerge fixes it
64	grub - manual remerge fails it (still paxmarked)
65
66	-6. And finally, let's do any post-world rebuild cleanup:
67	+7. And finally, let's do any post-world rebuild cleanup:
68
69	etc-update
70
71	-7. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really
72	+8. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really
73	have not PT_PAX header:
74
75	paxctl-ng -v /bin/*
76	@@ -140,9 +146,19 @@ you want to use. I also recommend xattr support on tmpfs:
77	[*] Squashfs XATTR support
78	...
79
80	-3. Compile the kernel and boot.
81	+3. Compile the kernel and boot. If you didn't install grub on the MBR before the
82	+migration, do so now, but be extra careful to make sure it was properly pax marked
83	+before runnign it from the command line. paxctl-ng -v /sbin/grub should give
84	+
85	+/sbin/grub:
86	+ PT_PAX: not found
87	+ XT_PAX: --me-x
88	+
89	+If it doesn't that may be because the eclass didn't properly pax mark it! Do so
90	+manually if need be:
91
92	-# I had to reinstall grub to /dev/sda before I could boot
93	+ paxctl-ng -cv /sbin/grub # To create the XT_PAX field
94	+ paxctl-ng -mexv /sbin/grub # To properly mark it
95
96	--------------------------------------------------------------------------------
97
98
99	diff --git a/README b/README
100	index 5ca81f9..60258a5 100644
101	--- a/README
102	+++ b/README
103	@@ -1,23 +1,7 @@
104	-This overlay is for Hardened Development, this is where we can test hardened toolchain, bugfixes, packages, profiles and eclasses before
105	-commiting to the tree.
106	+This is the README only for the XT_PAX branch. See the README in main branch
107	+for information about the entire overlay.
108
109	-Keep the entire overlay to that of gentoo policy, all functions of the overlay will work there way to the tree, once we reach a state
110	-that is acceptable for use by the users.
111	+This overlay/branch is to test a pure XT_PAX based system, that is a system in
112	+which the pax markins are made only in the filesystem extended attributes.
113	+Follow the HOWTO.txt to convert any Gentoo system to a pure XT_PAX based system.
114
115	-For help on using and testing the overlay please refer to :
116	-Forum tread http://forums.gentoo.org/viewtopic-t-790110.html
117	-
118	-Bugs should be filled on bugs.gentoo.org, please ensure that you make it clear that the bug is
119	-caused or a part of the hardened-dev overlay, if you are unsure file an advanced bug report and
120	-assign to hardened-dev@g.o and someone from dev team will reassign if needed; more
121	-The testing branch is if we need to do major change on this overlay.
122	-
123	-Commiters:
124	-Magnus Granberg (Zorry) <zorry@g.o>
125	-Jory A. Pratt (Anarchy) <anarchy@g.o>
126	-Peter Hjalmarsson (Xake) <xake@×××××××××.net>
127	-Anthony G. Basile (blueness) <blueness@g.o>
128	-Chris Richards (gizmo) <gizmo@×××××××××.com> - SELinux
129	-Sven Vermeulen (SwifT) <sven.vermeulen@××××××.be> - SELinux
130	-
131	-2010-11-25 Magnus Granberg (Zorry) <zorry@g.o>
132
133	diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
134	new file mode 100644
135	index 0000000..2ddbf9f
136	--- /dev/null
137	+++ b/eclass/pax-utils.eclass
138	@@ -0,0 +1,135 @@
139	+# Copyright 1999-2011 Gentoo Foundation
140	+# Distributed under the terms of the GNU General Public License v2
141	+# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.15 2011/08/22 04:46:32 vapier Exp $
142	+
143	+# @ECLASS: pax-utils.eclass
144	+# @MAINTAINER:
145	+# The Gentoo Linux Hardened Team <hardened@g.o>
146	+# @AUTHOR:
147	+# Original Author: Kevin F. Quinn <kevquinn@g.o>
148	+# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@g.o>
149	+# Modifications for XT_PAX markings: Anthony G. Basile <blueness@g.o>
150	+# @BLURB: functions to provide pax markings
151	+# @DESCRIPTION:
152	+# This eclass provides support for manipulating PaX markings on ELF binaries,
153	+# wrapping the use of the paxctl-ng utilities.
154	+#
155	+# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to
156	+# contain either "XT", "PT" or "none".
157	+#
158	+# If PAX_MARKINGS is set to "XT" and paxctl-ng is installed, then both XT_PAX
159	+# and PT_PAX markings will be made, where possible: XT_PAX will not be made if
160	+# the file system doesn't support extended attributes and PT_PAX will not be
161	+# made if the ELF binary doesn't have a PT_PAX header.
162	+#
163	+# If PAX_MARKINGS is setto "PT" and paxctl is installed, then only PT_PAX
164	+# markings will be made.
165	+#
166	+# Finally, if neither utility is found, or PAX_MARKINGS is set to "none",
167	+# then no markings will be made.
168	+#
169	+# Note: unlike the original pax-utils.eclass, we will not try to use paxctl -c
170	+# or paxctl -C to convert or create a PT_PAX program header. Nor will we fall
171	+# back on scanelf.
172	+
173	+inherit eutils
174	+
175	+# Default to XT markings.
176	+PAX_MARKINGS=${PAX_MARKINGS:="XT"}
177	+
178	+# @FUNCTION: pax-mark
179	+# @USAGE: <flags> {<ELF files>}
180	+# @RETURN: Shell true if we succeed, shell false otherwise
181	+# @DESCRIPTION:
182	+# Marks <ELF files> with provided PaX <flags>
183	+#
184	+# Flags are passed directly to the utilities unchanged. Possible flags at the
185	+# time of writing, taken from /usr/sbin/paxctl-ng, are:
186	+#
187	+# p: disable PAGEEXEC P: enable PAGEEXEC
188	+# e: disable EMUTRMAP E: enable EMUTRMAP
189	+# m: disable MPROTECT M: enable MPROTECT
190	+# r: disable RANDMMAP R: enable RANDMMAP
191	+# s: disable SEGMEXEC S: enable SEGMEXEC
192	+#
193	+# Default flags are 'PeMRS', which are the most restrictive settings.
194	+# Do not use the obsolete flag 'x'/'X'.
195	+pax-mark() {
196	+ local f flags fail=0 failures="" zero_load_alignment
197	+ # Remove all dashes from the flags
198	+ flags=${1//-}
199	+ shift
200	+ if type -p paxctl-ng > /dev/null && has XT ${PAX_MARKINGS}; then
201	+ elog "XT PaX marking -${flags}"
202	+ _pax_list_files elog "$@"
203	+ for f in "$@"; do
204	+ paxctl-ng -C "${f}"
205	+ paxctl-ng -${flags} "${f}" && continue
206	+ fail=1
207	+ failures="${failures} ${f}"
208	+ done
209	+ elif type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then
210	+ elog "PT PaX marking -${flags}"
211	+ _pax_list_files elog "$@"
212	+ for f in "$@"; do
213	+ paxctl -q${flags} "${f}" && continue
214	+ fail=1
215	+ failures="${failures} ${f}"
216	+ done
217	+ elif [[ ${PAX_MARKINGS} != "none" ]]; then
218	+ failures="$*"
219	+ fail=1
220	+ fi
221	+ if [[ ${fail} == 1 ]]; then
222	+ ewarn "Failed to set PaX markings -${flags} for:"
223	+ _pax_list_files ewarn ${failures}
224	+ ewarn "Executables may be killed by PaX kernels."
225	+ fi
226	+ return ${fail}
227	+}
228	+
229	+# @FUNCTION: list-paxables
230	+# @USAGE: {<files>}
231	+# @RETURN: Subset of {<files>} which are ELF executables or shared objects
232	+# @DESCRIPTION:
233	+# Print to stdout all of the <files> that are suitable to have PaX flag
234	+# markings, i.e., filter out the ELF executables or shared objects from a list
235	+# of files. This is useful for passing wild-card lists to pax-mark, although
236	+# in general it is preferable for ebuilds to list precisely which ELFS are to
237	+# be marked. Often not all the ELF installed by a package need remarking.
238	+# @EXAMPLE:
239	+# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)
240	+list-paxables() {
241	+ file "$@" 2> /dev/null \| grep -E 'ELF.(executable\|shared object)' \| sed -e 's/: .$//'
242	+}
243	+
244	+# @FUNCTION: host-is-pax
245	+# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise
246	+# @DESCRIPTION:
247	+# This is intended for use where the build process must be modified conditionally
248	+# depending on whether the host is PaX enabled or not. It is not intedened to
249	+# determine whether the final binaries need PaX markings. Note: if procfs is
250	+# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD).
251	+host-is-pax() {
252	+ grep -qs ^PaX: /proc/self/status
253	+}
254	+
255	+
256	+# INTERNAL FUNCTIONS
257	+# ------------------
258	+#
259	+# These functions are for use internally by the eclass - do not use
260	+# them elsewhere as they are not supported (i.e. they may be removed
261	+# or their function may change arbitratily).
262	+
263	+# Display a list of things, one per line, indented a bit, using the
264	+# display command in $1.
265	+_pax_list_files() {
266	+ local f cmd
267	+ cmd=$1
268	+ shift
269	+ for f in "$@"; do
270	+ ${cmd} " ${f}"
271	+ done
272	+}
273	+

Gentoo Archives: gentoo-commits