[gentoo-dev] [PATCH] pax-utils.eclass: allow EAPI=8 - gentoo-dev

From:	Sergei Trofimovich <slyfox@g.o>
To:	gentoo-dev@l.g.o
Cc:	Sergei Trofimovich <slyfox@g.o>, hardened@g.o
Subject:	[gentoo-dev] [PATCH] pax-utils.eclass: allow EAPI=8
Date:	Thu, 15 Jul 2021 09:59:02
Message-Id:	`20210715095817.2603762-1-slyfox@gentoo.org`

1

CC: hardened@g.o

2

Closes: https://bugs.gentoo.org/802258

3

Signed-off-by: Sergei Trofimovich <slyfox@g.o>

4

---

5

 eclass/pax-utils.eclass | 4 ++--

6

 1 file changed, 2 insertions(+), 2 deletions(-)

7

8

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass

9

index 9c4903d24b6..f48dcdafe01 100644

10

--- a/eclass/pax-utils.eclass

11

+++ b/eclass/pax-utils.eclass

12

@@ -1,200 +1,200 @@

13

 # Copyright 1999-2021 Gentoo Authors

14

 # Distributed under the terms of the GNU General Public License v2

15

16

 # @ECLASS: pax-utils.eclass

17

 # @MAINTAINER:

18

 # The Gentoo Linux Hardened Team <hardened@g.o>

19

 # @AUTHOR:

20

 # Author: Kevin F. Quinn <kevquinn@g.o>

21

 # Author: Anthony G. Basile <blueness@g.o>

22

-# @SUPPORTED_EAPIS: 5 6 7

23

+# @SUPPORTED_EAPIS: 5 6 7 8

24

 # @BLURB: functions to provide PaX markings for hardened kernels

25

 # @DESCRIPTION:

26

#

27

 # This eclass provides support for manipulating PaX markings on ELF binaries,

28

 # whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.

29

 # The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,

30

 # deciding which to use depending on what's installed on the build host, and

31

 # whether we're working with PT_PAX, XATTR_PAX or both.

32

 # Legacy PT_PAX markings no longer supported.

33

#

34

 # To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf

35

 # to contain either "PT", "XT" or "none".  The default is none

36

37

 case ${EAPI:-0} in

38

-	[567]) ;;

39

+	5|6|7|8) ;;

40

 	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;

41

 esac

42

43

 if [[ -z ${_PAX_UTILS_ECLASS} ]]; then

44

 _PAX_UTILS_ECLASS=1

45

46

 # @ECLASS-VARIABLE: PAX_MARKINGS

47

 # @DESCRIPTION:

48

 # Control which markings are made:

49

 # PT = PT_PAX markings, XT = XATTR_PAX markings

50

 # Default to none markings.

51

 PAX_MARKINGS=${PAX_MARKINGS:="none"}

52

53

 # @FUNCTION: pax-mark

54

 # @USAGE: <flags> <ELF files>

55

 # @RETURN: Shell true if we succeed, shell false otherwise

56

 # @DESCRIPTION:

57

 # Marks <ELF files> with provided PaX <flags>

58

#

59

 # Flags are passed directly to the utilities unchanged.

60

#

61

 # @CODE

62

 #	p: disable PAGEEXEC		P: enable PAGEEXEC

63

 #	e: disable EMUTRAMP		E: enable EMUTRAMP

64

 #	m: disable MPROTECT		M: enable MPROTECT

65

 #	r: disable RANDMMAP		R: enable RANDMMAP

66

 #	s: disable SEGMEXEC		S: enable SEGMEXEC

67

 # @CODE

68

#

69

 # Default flags are 'PeMRS', which are the most restrictive settings.  Refer

70

 # to https://pax.grsecurity.net/ for details on what these flags are all about.

71

#

72

 # Please confirm any relaxation of restrictions with the Gentoo Hardened team.

73

 # Either ask on the gentoo-hardened mailing list, or CC/assign

74

 # hardened@g.o on the bug report.

75

 pax-mark() {

76

 	local f								# loop over paxables

77

 	local flags							# pax flags

78

 	local ret=0							# overall return code of this function

79

80

 	# Only the actual PaX flags and z are accepted

81

 	# 1. The leading '-' is optional

82

 	# 2. -C -c only make sense for paxctl, but are unnecessary

83

 	#    because we progressively do -q -qc -qC

84

 	# 3. z is allowed for the default

85

86

 	flags="${1//[!zPpEeMmRrSs]}"

87

 	[[ "${flags}" ]] || return 0

88

 	shift

89

90

 	# z = default. For XATTR_PAX, the default is no xattr field at all

91

 	local dodefault=""

92

 	[[ "${flags//[!z]}" ]] && dodefault="yes"

93

94

 	if has PT ${PAX_MARKINGS}; then

95

 		# Uncomment to list all files to be marked

96

 		# _pax_list_files einfo "$@"

97

 		for f in "$@"; do

98

99

 			# First try paxctl

100

 			if type -p paxctl >/dev/null; then

101

 				einfo "PT_PAX marking -${flags} ${f} with paxctl"

102

 				# We try modifying the existing PT_PAX_FLAGS header.

103

 				paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue

104

 				# We no longer try to create/convert a PT_PAX_FLAGS header, bug #590422

105

 				# paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue

106

 				# paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue

107

fi

108

109

 			# Next try paxctl-ng -> this will not create/convert any program headers.

110

 			if type -p paxctl-ng >/dev/null && paxctl-ng -L ; then

111

 				einfo "PT_PAX marking -${flags} ${f} with paxctl-ng"

112

 				flags="${flags//z}"

113

 				[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}" >/dev/null 2>&1

114

 				[[ "${flags}" ]] || continue

115

 				paxctl-ng -L -${flags} "${f}" >/dev/null 2>&1 && continue

116

fi

117

118

 			# Finally fall back on scanelf.

119

 			if type -p scanelf >/dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then

120

 				einfo "PT_PAX marking -${flags} ${f} with scanelf"

121

 				scanelf -Xxz ${flags} "$f" >/dev/null 2>&1

122

 			# We failed to set PT_PAX flags.

123

 			elif [[ ${PAX_MARKINGS} != "none" ]]; then

124

 				elog "Failed to set PT_PAX markings -${flags} ${f}."

125

 				ret=1

126

fi

127

 		done

128

fi

129

130

 	if has XT ${PAX_MARKINGS}; then

131

 		# Uncomment to list all files to be marked

132

 		# _pax_list_files einfo "$@"

133

 		flags="${flags//z}"

134

 		for f in "$@"; do

135

136

 			# First try paxctl-ng.

137

 			if type -p paxctl-ng >/dev/null && paxctl-ng -l ; then

138

 				einfo "XATTR_PAX marking -${flags} ${f} with paxctl-ng"

139

 				[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" >/dev/null 2>&1

140

 				[[ "${flags}" ]] || continue

141

 				paxctl-ng -l -${flags} "${f}" >/dev/null 2>&1 && continue

142

fi

143

144

 			# Next try setfattr.

145

 			if type -p setfattr >/dev/null; then

146

 				[[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150

147

 				einfo "XATTR_PAX marking -${flags} ${f} with setfattr"

148

 				[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" >/dev/null 2>&1

149

 				setfattr -n "user.pax.flags" -v "${flags}" "${f}" >/dev/null 2>&1 && continue

150

fi

151

152

 			# We failed to set XATTR_PAX flags.

153

 			if [[ ${PAX_MARKINGS} != "none" ]]; then

154

 				elog "Failed to set XATTR_PAX markings -${flags} ${f}."

155

 				ret=1

156

fi

157

 		done

158

fi

159

160

 	# [[ ${ret} == 1 ]] && elog "Executables may be killed by PaX kernels."

161

162

 	return ${ret}

163

}

164

165

 # @FUNCTION: list-paxables

166

 # @USAGE: <files>

167

 # @RETURN: Subset of <files> which are ELF executables or shared objects

168

 # @DESCRIPTION:

169

 # Print to stdout all of the <files> that are suitable to have PaX flag

170

 # markings, i.e., filter out the ELF executables or shared objects from a list

171

 # of files.  This is useful for passing wild-card lists to pax-mark, although

172

 # in general it is preferable for ebuilds to list precisely which ELFS are to

173

 # be marked.  Often not all the ELF installed by a package need remarking.

174

 # @EXAMPLE:

175

 # pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)

176

 list-paxables() {

177

 	file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'

178

}

179

180

 # @FUNCTION: host-is-pax

181

 # @RETURN: Shell true if the build process is PaX enabled, shell false otherwise

182

 # @DESCRIPTION:

183

 # This is intended for use where the build process must be modified conditionally

184

 # depending on whether the host is PaX enabled or not.  It is not indented to

185

 # determine whether the final binaries need PaX markings.  Note: if procfs is

186

 # not mounted on /proc, this returns shell false (e.g. Gentoo/FreeBSD).

187

 host-is-pax() {

188

 	grep -qs ^PaX: /proc/self/status

189

}

190

191

192

 # INTERNAL FUNCTIONS

193

 # ------------------

194

#

195

 # These functions are for use internally by the eclass - do not use

196

 # them elsewhere as they are not supported (i.e. they may be removed

197

 # or their function may change arbitrarily).

198

199

 # @FUNCTION: _pax_list_files

200

 # @INTERNAL

201

 # @USAGE: <command to display items> [items]

202

 # @DESCRIPTION:

203

 # Display a list of things, one per line, indented a bit, using the

204

 # display command in $1.

205

 _pax_list_files() {

206

 	local f cmd

207

 	cmd=$1

208

 	shift

209

 	for f in "$@"; do

210

 		${cmd} "     ${f}"

211

 	done

212

}

213

214

fi

215

--

216

2.32.0

Gentoo Archives: gentoo-dev

Replies

1	CC: hardened@g.o
2	Closes: https://bugs.gentoo.org/802258
3	Signed-off-by: Sergei Trofimovich <slyfox@g.o>
4	---
5	eclass/pax-utils.eclass \| 4 ++--
6	1 file changed, 2 insertions(+), 2 deletions(-)
7
8	diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
9	index 9c4903d24b6..f48dcdafe01 100644
10	--- a/eclass/pax-utils.eclass
11	+++ b/eclass/pax-utils.eclass
12	@@ -1,200 +1,200 @@
13	# Copyright 1999-2021 Gentoo Authors
14	# Distributed under the terms of the GNU General Public License v2
15
16	# @ECLASS: pax-utils.eclass
17	# @MAINTAINER:
18	# The Gentoo Linux Hardened Team <hardened@g.o>
19	# @AUTHOR:
20	# Author: Kevin F. Quinn <kevquinn@g.o>
21	# Author: Anthony G. Basile <blueness@g.o>
22	-# @SUPPORTED_EAPIS: 5 6 7
23	+# @SUPPORTED_EAPIS: 5 6 7 8
24	# @BLURB: functions to provide PaX markings for hardened kernels
25	# @DESCRIPTION:
26	#
27	# This eclass provides support for manipulating PaX markings on ELF binaries,
28	# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX.
29	# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities,
30	# deciding which to use depending on what's installed on the build host, and
31	# whether we're working with PT_PAX, XATTR_PAX or both.
32	# Legacy PT_PAX markings no longer supported.
33	#
34	# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf
35	# to contain either "PT", "XT" or "none". The default is none
36
37	case ${EAPI:-0} in
38	- [567]) ;;
39	+ 5\|6\|7\|8) ;;
40	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
41	esac
42
43	if [[ -z ${_PAX_UTILS_ECLASS} ]]; then
44	_PAX_UTILS_ECLASS=1
45
46	# @ECLASS-VARIABLE: PAX_MARKINGS
47	# @DESCRIPTION:
48	# Control which markings are made:
49	# PT = PT_PAX markings, XT = XATTR_PAX markings
50	# Default to none markings.
51	PAX_MARKINGS=${PAX_MARKINGS:="none"}
52
53	# @FUNCTION: pax-mark
54	# @USAGE: <flags> <ELF files>
55	# @RETURN: Shell true if we succeed, shell false otherwise
56	# @DESCRIPTION:
57	# Marks <ELF files> with provided PaX <flags>
58	#
59	# Flags are passed directly to the utilities unchanged.
60	#
61	# @CODE
62	# p: disable PAGEEXEC P: enable PAGEEXEC
63	# e: disable EMUTRAMP E: enable EMUTRAMP
64	# m: disable MPROTECT M: enable MPROTECT
65	# r: disable RANDMMAP R: enable RANDMMAP
66	# s: disable SEGMEXEC S: enable SEGMEXEC
67	# @CODE
68	#
69	# Default flags are 'PeMRS', which are the most restrictive settings. Refer
70	# to https://pax.grsecurity.net/ for details on what these flags are all about.
71	#
72	# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
73	# Either ask on the gentoo-hardened mailing list, or CC/assign
74	# hardened@g.o on the bug report.
75	pax-mark() {
76	local f # loop over paxables
77	local flags # pax flags
78	local ret=0 # overall return code of this function
79
80	# Only the actual PaX flags and z are accepted
81	# 1. The leading '-' is optional
82	# 2. -C -c only make sense for paxctl, but are unnecessary
83	# because we progressively do -q -qc -qC
84	# 3. z is allowed for the default
85
86	flags="${1//[!zPpEeMmRrSs]}"
87	[[ "${flags}" ]] \|\| return 0
88	shift
89
90	# z = default. For XATTR_PAX, the default is no xattr field at all
91	local dodefault=""
92	[[ "${flags//[!z]}" ]] && dodefault="yes"
93
94	if has PT ${PAX_MARKINGS}; then
95	# Uncomment to list all files to be marked
96	# _pax_list_files einfo "$@"
97	for f in "$@"; do
98
99	# First try paxctl
100	if type -p paxctl >/dev/null; then
101	einfo "PT_PAX marking -${flags} ${f} with paxctl"
102	# We try modifying the existing PT_PAX_FLAGS header.
103	paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue
104	# We no longer try to create/convert a PT_PAX_FLAGS header, bug #590422
105	# paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
106	# paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
107	fi
108
109	# Next try paxctl-ng -> this will not create/convert any program headers.
110	if type -p paxctl-ng >/dev/null && paxctl-ng -L ; then
111	einfo "PT_PAX marking -${flags} ${f} with paxctl-ng"
112	flags="${flags//z}"
113	[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}" >/dev/null 2>&1
114	[[ "${flags}" ]] \|\| continue
115	paxctl-ng -L -${flags} "${f}" >/dev/null 2>&1 && continue
116	fi
117
118	# Finally fall back on scanelf.
119	if type -p scanelf >/dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
120	einfo "PT_PAX marking -${flags} ${f} with scanelf"
121	scanelf -Xxz ${flags} "$f" >/dev/null 2>&1
122	# We failed to set PT_PAX flags.
123	elif [[ ${PAX_MARKINGS} != "none" ]]; then
124	elog "Failed to set PT_PAX markings -${flags} ${f}."
125	ret=1
126	fi
127	done
128	fi
129
130	if has XT ${PAX_MARKINGS}; then
131	# Uncomment to list all files to be marked
132	# _pax_list_files einfo "$@"
133	flags="${flags//z}"
134	for f in "$@"; do
135
136	# First try paxctl-ng.
137	if type -p paxctl-ng >/dev/null && paxctl-ng -l ; then
138	einfo "XATTR_PAX marking -${flags} ${f} with paxctl-ng"
139	[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" >/dev/null 2>&1
140	[[ "${flags}" ]] \|\| continue
141	paxctl-ng -l -${flags} "${f}" >/dev/null 2>&1 && continue
142	fi
143
144	# Next try setfattr.
145	if type -p setfattr >/dev/null; then
146	[[ "${flags//[!Ee]}" ]] \|\| flags+="e" # bug 447150
147	einfo "XATTR_PAX marking -${flags} ${f} with setfattr"
148	[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" >/dev/null 2>&1
149	setfattr -n "user.pax.flags" -v "${flags}" "${f}" >/dev/null 2>&1 && continue
150	fi
151
152	# We failed to set XATTR_PAX flags.
153	if [[ ${PAX_MARKINGS} != "none" ]]; then
154	elog "Failed to set XATTR_PAX markings -${flags} ${f}."
155	ret=1
156	fi
157	done
158	fi
159
160	# [[ ${ret} == 1 ]] && elog "Executables may be killed by PaX kernels."
161
162	return ${ret}
163	}
164
165	# @FUNCTION: list-paxables
166	# @USAGE: <files>
167	# @RETURN: Subset of <files> which are ELF executables or shared objects
168	# @DESCRIPTION:
169	# Print to stdout all of the <files> that are suitable to have PaX flag
170	# markings, i.e., filter out the ELF executables or shared objects from a list
171	# of files. This is useful for passing wild-card lists to pax-mark, although
172	# in general it is preferable for ebuilds to list precisely which ELFS are to
173	# be marked. Often not all the ELF installed by a package need remarking.
174	# @EXAMPLE:
175	# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)
176	list-paxables() {
177	file "$@" 2> /dev/null \| grep -E 'ELF.(executable\|shared object)' \| sed -e 's/: .$//'
178	}
179
180	# @FUNCTION: host-is-pax
181	# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise
182	# @DESCRIPTION:
183	# This is intended for use where the build process must be modified conditionally
184	# depending on whether the host is PaX enabled or not. It is not indented to
185	# determine whether the final binaries need PaX markings. Note: if procfs is
186	# not mounted on /proc, this returns shell false (e.g. Gentoo/FreeBSD).
187	host-is-pax() {
188	grep -qs ^PaX: /proc/self/status
189	}
190
191
192	# INTERNAL FUNCTIONS
193	# ------------------
194	#
195	# These functions are for use internally by the eclass - do not use
196	# them elsewhere as they are not supported (i.e. they may be removed
197	# or their function may change arbitrarily).
198
199	# @FUNCTION: _pax_list_files
200	# @INTERNAL
201	# @USAGE: <command to display items> [items]
202	# @DESCRIPTION:
203	# Display a list of things, one per line, indented a bit, using the
204	# display command in $1.
205	_pax_list_files() {
206	local f cmd
207	cmd=$1
208	shift
209	for f in "$@"; do
210	${cmd} " ${f}"
211	done
212	}
213
214	fi
215	--
216	2.32.0