/[gentoo-x86]/eclass/pax-utils.eclass
Gentoo

Diff of /eclass/pax-utils.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.11 Revision 1.12
1# Copyright 1999-2011 Gentoo Foundation 1# Copyright 1999-2011 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.11 2011/05/22 01:01:40 blueness Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.12 2011/07/02 17:03:51 blueness Exp $
4 4
5# @ECLASS: pax-utils.eclass 5# @ECLASS: pax-utils.eclass
6# @MAINTAINER: 6# @MAINTAINER:
7# Maintained by 7# Maintained by
8# The Gentoo Linux Hardened Team <hardened@gentoo.org> 8# The Gentoo Linux Hardened Team <hardened@gentoo.org>
22# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the 22# contain either "PT" or "none". If PAX_MARKINGS is set to "PT", and the
23# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If 23# necessary utility is installed, the PT_PAX_FLAGS markings will be made. If
24# PAX_MARKINGS is set to "none", no markings will be made. 24# PAX_MARKINGS is set to "none", no markings will be made.
25 25
26inherit eutils 26inherit eutils
27
28IUSE="hardened"
29
30DEPEND="hardened? ( app-misc/pax-utils
31 sys-apps/paxctl )"
27 32
28# Default to PT markings. 33# Default to PT markings.
29PAX_MARKINGS=${PAX_MARKINGS:="PT"} 34PAX_MARKINGS=${PAX_MARKINGS:="PT"}
30 35
31# @FUNCTION: pax-mark 36# @FUNCTION: pax-mark
49# 54#
50# Please confirm any relaxation of restrictions with the Gentoo Hardened team. 55# Please confirm any relaxation of restrictions with the Gentoo Hardened team.
51# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on 56# Either ask on the gentoo-hardened mailing list, or CC/assign hardened@g.o on
52# the bug report. 57# the bug report.
53pax-mark() { 58pax-mark() {
59 # It doesn't make sense to pax-mark on non-hardened systems
60 # so we'll just do nothing.
61 use hardened || return 0;
62
54 local f flags fail=0 failures="" zero_load_alignment 63 local f flags fail=0 failures="" zero_load_alignment
55 # Ignore '-' characters - in particular so that it doesn't matter if 64 # Ignore '-' characters - in particular so that it doesn't matter if
56 # the caller prefixes with - 65 # the caller prefixes with -
57 flags=${1//-} 66 flags=${1//-}
58 shift 67 shift
67 # Second, try stealing the (unused under PaX) PT_GNU_STACK header 76 # Second, try stealing the (unused under PaX) PT_GNU_STACK header
68 paxctl -qc${flags} "${f}" && continue 77 paxctl -qc${flags} "${f}" && continue
69 # Third, try pulling the base down a page, to create space and 78 # Third, try pulling the base down a page, to create space and
70 # insert a PT_GNU_STACK header (works on ET_EXEC) 79 # insert a PT_GNU_STACK header (works on ET_EXEC)
71 paxctl -qC${flags} "${f}" && continue 80 paxctl -qC${flags} "${f}" && continue
81 #
82 # prelink is masked on hardened so we wont use this method.
83 # We're working on a new utiity to try to do the same safely. See
84 # http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
85 #
72 # Fourth - check if it loads to 0 (probably an ET_DYN) and if so, 86 # Fourth - check if it loads to 0 (probably an ET_DYN) and if so,
73 # try rebasing with prelink first to give paxctl some space to 87 # try rebasing with prelink first to give paxctl some space to
74 # grow downwards into. 88 # grow downwards into.
75 if type -p objdump > /dev/null && type -p prelink > /dev/null; then 89 #if type -p objdump > /dev/null && type -p prelink > /dev/null; then
76 zero_load_alignment=$(objdump -p "${f}" | \ 90 # zero_load_alignment=$(objdump -p "${f}" | \
77 grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \ 91 # grep -E '^[[:space:]]*LOAD[[:space:]]*off[[:space:]]*0x0+[[:space:]]' | \
78 sed -e 's/.*align\(.*\)/\1/') 92 # sed -e 's/.*align\(.*\)/\1/')
79 if [[ ${zero_load_alignment} != "" ]]; then 93 # if [[ ${zero_load_alignment} != "" ]]; then
80 prelink -r $(( 2*(${zero_load_alignment}) )) && 94 # prelink -r $(( 2*(${zero_load_alignment}) )) &&
81 paxctl -qC${flags} "${f}" && continue 95 # paxctl -qC${flags} "${f}" && continue
82 fi 96 # fi
83 fi 97 #fi
84 fail=1 98 fail=1
85 failures="${failures} ${f}" 99 failures="${failures} ${f}"
86 done 100 done
87 elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then 101 elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then
88 # Try scanelf, the Gentoo swiss-army knife ELF utility 102 # Try scanelf, the Gentoo swiss-army knife ELF utility

Legend:
Removed from v.1.11  
changed lines
  Added in v.1.12

  ViewVC Help
Powered by ViewVC 1.1.20