1 |
CC: hardened@g.o |
2 |
Closes: https://bugs.gentoo.org/802258 |
3 |
Signed-off-by: Sergei Trofimovich <slyfox@g.o> |
4 |
--- |
5 |
eclass/pax-utils.eclass | 4 ++-- |
6 |
1 file changed, 2 insertions(+), 2 deletions(-) |
7 |
|
8 |
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass |
9 |
index 9c4903d24b6..f48dcdafe01 100644 |
10 |
--- a/eclass/pax-utils.eclass |
11 |
+++ b/eclass/pax-utils.eclass |
12 |
@@ -1,200 +1,200 @@ |
13 |
# Copyright 1999-2021 Gentoo Authors |
14 |
# Distributed under the terms of the GNU General Public License v2 |
15 |
|
16 |
# @ECLASS: pax-utils.eclass |
17 |
# @MAINTAINER: |
18 |
# The Gentoo Linux Hardened Team <hardened@g.o> |
19 |
# @AUTHOR: |
20 |
# Author: Kevin F. Quinn <kevquinn@g.o> |
21 |
# Author: Anthony G. Basile <blueness@g.o> |
22 |
-# @SUPPORTED_EAPIS: 5 6 7 |
23 |
+# @SUPPORTED_EAPIS: 5 6 7 8 |
24 |
# @BLURB: functions to provide PaX markings for hardened kernels |
25 |
# @DESCRIPTION: |
26 |
# |
27 |
# This eclass provides support for manipulating PaX markings on ELF binaries, |
28 |
# whether the system is using legacy PT_PAX markings or the newer XATTR_PAX. |
29 |
# The eclass wraps the use of paxctl-ng, paxctl, set/getattr and scanelf utilities, |
30 |
# deciding which to use depending on what's installed on the build host, and |
31 |
# whether we're working with PT_PAX, XATTR_PAX or both. |
32 |
# Legacy PT_PAX markings no longer supported. |
33 |
# |
34 |
# To control what markings are made, set PAX_MARKINGS in /etc/portage/make.conf |
35 |
# to contain either "PT", "XT" or "none". The default is none |
36 |
|
37 |
case ${EAPI:-0} in |
38 |
- [567]) ;; |
39 |
+ 5|6|7|8) ;; |
40 |
*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; |
41 |
esac |
42 |
|
43 |
if [[ -z ${_PAX_UTILS_ECLASS} ]]; then |
44 |
_PAX_UTILS_ECLASS=1 |
45 |
|
46 |
# @ECLASS-VARIABLE: PAX_MARKINGS |
47 |
# @DESCRIPTION: |
48 |
# Control which markings are made: |
49 |
# PT = PT_PAX markings, XT = XATTR_PAX markings |
50 |
# Default to none markings. |
51 |
PAX_MARKINGS=${PAX_MARKINGS:="none"} |
52 |
|
53 |
# @FUNCTION: pax-mark |
54 |
# @USAGE: <flags> <ELF files> |
55 |
# @RETURN: Shell true if we succeed, shell false otherwise |
56 |
# @DESCRIPTION: |
57 |
# Marks <ELF files> with provided PaX <flags> |
58 |
# |
59 |
# Flags are passed directly to the utilities unchanged. |
60 |
# |
61 |
# @CODE |
62 |
# p: disable PAGEEXEC P: enable PAGEEXEC |
63 |
# e: disable EMUTRAMP E: enable EMUTRAMP |
64 |
# m: disable MPROTECT M: enable MPROTECT |
65 |
# r: disable RANDMMAP R: enable RANDMMAP |
66 |
# s: disable SEGMEXEC S: enable SEGMEXEC |
67 |
# @CODE |
68 |
# |
69 |
# Default flags are 'PeMRS', which are the most restrictive settings. Refer |
70 |
# to https://pax.grsecurity.net/ for details on what these flags are all about. |
71 |
# |
72 |
# Please confirm any relaxation of restrictions with the Gentoo Hardened team. |
73 |
# Either ask on the gentoo-hardened mailing list, or CC/assign |
74 |
# hardened@g.o on the bug report. |
75 |
pax-mark() { |
76 |
local f # loop over paxables |
77 |
local flags # pax flags |
78 |
local ret=0 # overall return code of this function |
79 |
|
80 |
# Only the actual PaX flags and z are accepted |
81 |
# 1. The leading '-' is optional |
82 |
# 2. -C -c only make sense for paxctl, but are unnecessary |
83 |
# because we progressively do -q -qc -qC |
84 |
# 3. z is allowed for the default |
85 |
|
86 |
flags="${1//[!zPpEeMmRrSs]}" |
87 |
[[ "${flags}" ]] || return 0 |
88 |
shift |
89 |
|
90 |
# z = default. For XATTR_PAX, the default is no xattr field at all |
91 |
local dodefault="" |
92 |
[[ "${flags//[!z]}" ]] && dodefault="yes" |
93 |
|
94 |
if has PT ${PAX_MARKINGS}; then |
95 |
# Uncomment to list all files to be marked |
96 |
# _pax_list_files einfo "$@" |
97 |
for f in "$@"; do |
98 |
|
99 |
# First try paxctl |
100 |
if type -p paxctl >/dev/null; then |
101 |
einfo "PT_PAX marking -${flags} ${f} with paxctl" |
102 |
# We try modifying the existing PT_PAX_FLAGS header. |
103 |
paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue |
104 |
# We no longer try to create/convert a PT_PAX_FLAGS header, bug #590422 |
105 |
# paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue |
106 |
# paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue |
107 |
fi |
108 |
|
109 |
# Next try paxctl-ng -> this will not create/convert any program headers. |
110 |
if type -p paxctl-ng >/dev/null && paxctl-ng -L ; then |
111 |
einfo "PT_PAX marking -${flags} ${f} with paxctl-ng" |
112 |
flags="${flags//z}" |
113 |
[[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}" >/dev/null 2>&1 |
114 |
[[ "${flags}" ]] || continue |
115 |
paxctl-ng -L -${flags} "${f}" >/dev/null 2>&1 && continue |
116 |
fi |
117 |
|
118 |
# Finally fall back on scanelf. |
119 |
if type -p scanelf >/dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then |
120 |
einfo "PT_PAX marking -${flags} ${f} with scanelf" |
121 |
scanelf -Xxz ${flags} "$f" >/dev/null 2>&1 |
122 |
# We failed to set PT_PAX flags. |
123 |
elif [[ ${PAX_MARKINGS} != "none" ]]; then |
124 |
elog "Failed to set PT_PAX markings -${flags} ${f}." |
125 |
ret=1 |
126 |
fi |
127 |
done |
128 |
fi |
129 |
|
130 |
if has XT ${PAX_MARKINGS}; then |
131 |
# Uncomment to list all files to be marked |
132 |
# _pax_list_files einfo "$@" |
133 |
flags="${flags//z}" |
134 |
for f in "$@"; do |
135 |
|
136 |
# First try paxctl-ng. |
137 |
if type -p paxctl-ng >/dev/null && paxctl-ng -l ; then |
138 |
einfo "XATTR_PAX marking -${flags} ${f} with paxctl-ng" |
139 |
[[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" >/dev/null 2>&1 |
140 |
[[ "${flags}" ]] || continue |
141 |
paxctl-ng -l -${flags} "${f}" >/dev/null 2>&1 && continue |
142 |
fi |
143 |
|
144 |
# Next try setfattr. |
145 |
if type -p setfattr >/dev/null; then |
146 |
[[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150 |
147 |
einfo "XATTR_PAX marking -${flags} ${f} with setfattr" |
148 |
[[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" >/dev/null 2>&1 |
149 |
setfattr -n "user.pax.flags" -v "${flags}" "${f}" >/dev/null 2>&1 && continue |
150 |
fi |
151 |
|
152 |
# We failed to set XATTR_PAX flags. |
153 |
if [[ ${PAX_MARKINGS} != "none" ]]; then |
154 |
elog "Failed to set XATTR_PAX markings -${flags} ${f}." |
155 |
ret=1 |
156 |
fi |
157 |
done |
158 |
fi |
159 |
|
160 |
# [[ ${ret} == 1 ]] && elog "Executables may be killed by PaX kernels." |
161 |
|
162 |
return ${ret} |
163 |
} |
164 |
|
165 |
# @FUNCTION: list-paxables |
166 |
# @USAGE: <files> |
167 |
# @RETURN: Subset of <files> which are ELF executables or shared objects |
168 |
# @DESCRIPTION: |
169 |
# Print to stdout all of the <files> that are suitable to have PaX flag |
170 |
# markings, i.e., filter out the ELF executables or shared objects from a list |
171 |
# of files. This is useful for passing wild-card lists to pax-mark, although |
172 |
# in general it is preferable for ebuilds to list precisely which ELFS are to |
173 |
# be marked. Often not all the ELF installed by a package need remarking. |
174 |
# @EXAMPLE: |
175 |
# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*) |
176 |
list-paxables() { |
177 |
file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//' |
178 |
} |
179 |
|
180 |
# @FUNCTION: host-is-pax |
181 |
# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise |
182 |
# @DESCRIPTION: |
183 |
# This is intended for use where the build process must be modified conditionally |
184 |
# depending on whether the host is PaX enabled or not. It is not indented to |
185 |
# determine whether the final binaries need PaX markings. Note: if procfs is |
186 |
# not mounted on /proc, this returns shell false (e.g. Gentoo/FreeBSD). |
187 |
host-is-pax() { |
188 |
grep -qs ^PaX: /proc/self/status |
189 |
} |
190 |
|
191 |
|
192 |
# INTERNAL FUNCTIONS |
193 |
# ------------------ |
194 |
# |
195 |
# These functions are for use internally by the eclass - do not use |
196 |
# them elsewhere as they are not supported (i.e. they may be removed |
197 |
# or their function may change arbitrarily). |
198 |
|
199 |
# @FUNCTION: _pax_list_files |
200 |
# @INTERNAL |
201 |
# @USAGE: <command to display items> [items] |
202 |
# @DESCRIPTION: |
203 |
# Display a list of things, one per line, indented a bit, using the |
204 |
# display command in $1. |
205 |
_pax_list_files() { |
206 |
local f cmd |
207 |
cmd=$1 |
208 |
shift |
209 |
for f in "$@"; do |
210 |
${cmd} " ${f}" |
211 |
done |
212 |
} |
213 |
|
214 |
fi |
215 |
-- |
216 |
2.32.0 |