* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2011-10-18 18:15 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-10-18 18:15 UTC (permalink / raw
To: gentoo-commits
commit: a075ca551233ec03ea8fae02d8ad55b7807d9755
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 18 18:15:06 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Oct 18 18:15:06 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=a075ca55
Remove all EI_PAX code, bug #387459
---
scripts/paxmodule.c | 118 +--------------------------------------------------
scripts/revdep-pax | 6 +-
src/paxctl-ng.c | 98 +------------------------------------------
3 files changed, 5 insertions(+), 217 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index 45e9f26..9cffb12 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -9,19 +9,7 @@
#include <fcntl.h>
#include <unistd.h>
-/* Gentoo bug #387459
-
-#define HF_PAX_PAGEEXEC 1
-#define HF_PAX_EMUTRAMP 2
-#define HF_PAX_MPROTECT 4
-#define HF_PAX_RANDMMAP 8
-#define HF_PAX_RANDEXEC 16
-#define HF_PAX_SEGMEXEC 32
-
-#define EI_PAX 14 // Index to read the PaX flags into ELF header e_ident[] array
-*/
-
-#define BUF_SIZE 7 //Buffer for holding human readable flags
+#define BUF_SIZE 7 //Buffer for holding human readable flags
static PyObject * pax_getflags(PyObject *, PyObject *);
@@ -60,9 +48,6 @@ pax_getflags(PyObject *self, PyObject *args)
char pax_buf[BUF_SIZE];
uint16_t pax_flags;
- /* Gentoo bug #387459
- GElf_Ehdr ehdr;
- */
GElf_Phdr phdr;
char found_pt_pax;
size_t i, phnum;
@@ -142,33 +127,6 @@ pax_getflags(PyObject *self, PyObject *args)
}
}
- if(!found_pt_pax)
- {
- //Set to the strictest possible
- }
-
- /* Gentoo bug #387459
- if(!found_pt_pax)
- {
- if(gelf_getehdr(elf, &ehdr) != &ehdr)
- {
- elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_getflags: gelf_getehdr() failed");
- return NULL;
- }
-
- pax_flags = ehdr.e_ident[EI_PAX] + (ehdr.e_ident[EI_PAX + 1] << 8);
-
- pax_buf[0] = pax_flags & HF_PAX_PAGEEXEC ? 'p' : 'P';
- pax_buf[1] = pax_flags & HF_PAX_SEGMEXEC ? 's' : 'S';
- pax_buf[2] = pax_flags & HF_PAX_MPROTECT ? 'm' : 'M';
- pax_buf[3] = pax_flags & HF_PAX_EMUTRAMP ? 'E' : 'e';
- pax_buf[4] = pax_flags & HF_PAX_RANDMMAP ? 'r' : 'R';
- pax_buf[5] = pax_flags & HF_PAX_RANDEXEC ? 'X' : 'x';
- }
- */
-
elf_end(elf);
close(fd);
@@ -184,12 +142,6 @@ pax_setflags(PyObject *self, PyObject *args)
int fd;
Elf *elf;
-
- /* Gentoo bug #387459
- GElf_Ehdr ehdr;
- uint16_t ei_flags;
- */
-
GElf_Phdr phdr;
size_t i, phnum;
@@ -226,74 +178,6 @@ pax_setflags(PyObject *self, PyObject *args)
return NULL;
}
- /* Gentoo bug #387459
-
- if(gelf_getehdr(elf, &ehdr) != &ehdr)
- {
- elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: gelf_getehdr() failed");
- return NULL;
- }
-
- ei_flags = ehdr.e_ident[EI_PAX] + (ehdr.e_ident[EI_PAX + 1] << 8);
-
- ei_flags &= ~HF_PAX_PAGEEXEC;
- ei_flags &= ~HF_PAX_SEGMEXEC;
- ei_flags &= ~HF_PAX_MPROTECT;
- ei_flags |= HF_PAX_EMUTRAMP;
- ei_flags &= ~HF_PAX_RANDMMAP;
- ei_flags |= HF_PAX_RANDEXEC;
-
- //PAGEEXEC
- if(pax_flags & PF_PAGEEXEC)
- ei_flags &= ~HF_PAX_PAGEEXEC;
- if(pax_flags & PF_NOPAGEEXEC)
- ei_flags |= HF_PAX_PAGEEXEC;
-
- //SEGMEXEC
- if(pax_flags & PF_SEGMEXEC)
- ei_flags &= ~HF_PAX_SEGMEXEC;
- if(pax_flags & PF_NOSEGMEXEC)
- ei_flags |= HF_PAX_SEGMEXEC;
-
- //MPROTECT
- if(pax_flags & PF_MPROTECT)
- ei_flags &= ~HF_PAX_MPROTECT;
- if(pax_flags & PF_NOMPROTECT)
- ei_flags |= HF_PAX_MPROTECT;
-
- //EMUTRAMP
- if(pax_flags & PF_EMUTRAMP)
- ei_flags |= HF_PAX_EMUTRAMP;
- if(pax_flags & PF_NOEMUTRAMP)
- ei_flags &= ~HF_PAX_EMUTRAMP;
-
- //RANDMMAP
- if(pax_flags & PF_RANDMMAP)
- ei_flags &= ~HF_PAX_RANDMMAP;
- if(pax_flags & PF_NORANDMMAP)
- ei_flags |= HF_PAX_RANDMMAP;
-
- //RANDEXEC
- if(pax_flags & PF_RANDEXEC)
- ei_flags |= HF_PAX_RANDEXEC;
- if(pax_flags & PF_NORANDEXEC)
- ei_flags &= ~HF_PAX_RANDEXEC;
-
- ehdr.e_ident[EI_PAX] = (uint8_t)ei_flags ;
- ehdr.e_ident[EI_PAX + 1] = (uint8_t)(ei_flags >> 8) ;
-
- if(!gelf_update_ehdr(elf, &ehdr))
- {
- elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: gelf_update_ehdr() failed");
- return NULL;
- }
- */
-
-
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; ++i)
{
diff --git a/scripts/revdep-pax b/scripts/revdep-pax
index 59b8b4e..a33e627 100755
--- a/scripts/revdep-pax
+++ b/scripts/revdep-pax
@@ -202,13 +202,13 @@ def run_usage():
print 'Program Name : revdep-pax'
print 'Description : Get or set pax flags on an ELF object'
print
- print 'Usage : revdep-pax -f [-mv] print out all forward mappings for all system binaries'
- print ' : revdep-pax -r [-mv] print out all reverse mappints for all system sonames'
+ print 'Usage : revdep-pax -f [-v] print out all forward mappings for all system binaries'
+ print ' : revdep-pax -r [-v] print out all reverse mappints for all system sonames'
print ' : revdep-pax -b BINARY [-mv] print all forward mappings only for BINARY'
print ' : revdep-pax -s SONAME [-mv] print all reverse mappings only for SONAME'
print ' : revdep-pax [-h] print out this help'
print ' : -v verbose, otherwise just print mismatched flags'
- print ' : -m prompt to mark the found objects'
+ print ' : -m prompt to mark the mismatching objects'
print
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index 5d92d58..9114d4e 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -32,16 +32,6 @@
#include <config.h>
-#define HF_PAX_PAGEEXEC 1
-#define HF_PAX_EMUTRAMP 2
-#define HF_PAX_MPROTECT 4
-#define HF_PAX_RANDMMAP 8
-#define HF_PAX_RANDEXEC 16
-#define HF_PAX_SEGMEXEC 32
-
-#define EI_PAX 14 // Index to read the PaX flags into ELF header e_ident[] array
-
-
void
print_help(char *v)
{
@@ -162,36 +152,17 @@ parse_cmd_args(int c, char *v[], int *pax_flags, int *view_flags)
#define BUF_SIZE 7
+
void
print_flags(Elf *elf)
{
- GElf_Ehdr ehdr;
- char ei_buf[BUF_SIZE];
- uint16_t ei_flags;
-
GElf_Phdr phdr;
char pt_buf[BUF_SIZE];
char found_pt_pax;
size_t i, phnum;
-
- memset(ei_buf, 0, BUF_SIZE);
memset(pt_buf, 0, BUF_SIZE);
- if(gelf_getehdr(elf, &ehdr) != &ehdr)
- error(EXIT_FAILURE, 0, "gelf_getehdr(): %s", elf_errmsg(elf_errno()));
-
- ei_flags = ehdr.e_ident[EI_PAX] + (ehdr.e_ident[EI_PAX + 1] << 8);
-
- ei_buf[0] = ei_flags & HF_PAX_PAGEEXEC ? 'p' : 'P';
- ei_buf[1] = ei_flags & HF_PAX_SEGMEXEC ? 's' : 'S';
- ei_buf[2] = ei_flags & HF_PAX_MPROTECT ? 'm' : 'M';
- ei_buf[3] = ei_flags & HF_PAX_EMUTRAMP ? 'E' : 'e';
- ei_buf[4] = ei_flags & HF_PAX_RANDMMAP ? 'r' : 'R';
- ei_buf[5] = ei_flags & HF_PAX_RANDEXEC ? 'X' : 'x';
-
- printf("EI_PAX: %s\n", ei_buf);
-
found_pt_pax = 0;
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; ++i)
@@ -226,82 +197,15 @@ print_flags(Elf *elf)
printf("PT_PAX: %s\n", pt_buf);
else
printf("PT_PAX: not found\n");
-
- //Only compare non default flags
- //if(strcmp(ei_buf, pt_buf))
- // printf("EI_PAX != PT_PAX\n");
}
void
set_flags(Elf *elf, int *pax_flags)
{
- GElf_Ehdr ehdr;
- uint16_t ei_flags;
-
GElf_Phdr phdr;
size_t i, phnum;
- if(gelf_getehdr(elf, &ehdr) != &ehdr)
- error(EXIT_FAILURE, 0, "gelf_getehdr(): %s", elf_errmsg(elf_errno()));
-
- ei_flags = ehdr.e_ident[EI_PAX] + (ehdr.e_ident[EI_PAX + 1] << 8);
-
- //PAGEEXEC
- if(*pax_flags & PF_PAGEEXEC)
- ei_flags &= ~HF_PAX_PAGEEXEC;
- if(*pax_flags & PF_NOPAGEEXEC)
- ei_flags |= HF_PAX_PAGEEXEC;
- if((*pax_flags & PF_PAGEEXEC) && (*pax_flags & PF_NOPAGEEXEC))
- ei_flags &= ~HF_PAX_PAGEEXEC;
-
- //SEGMEXEC
- if(*pax_flags & PF_SEGMEXEC)
- ei_flags &= ~HF_PAX_SEGMEXEC;
- if(*pax_flags & PF_NOSEGMEXEC)
- ei_flags |= HF_PAX_SEGMEXEC;
- if((*pax_flags & PF_SEGMEXEC) && (*pax_flags & PF_NOSEGMEXEC))
- ei_flags &= ~HF_PAX_SEGMEXEC;
-
- //MPROTECT
- if(*pax_flags & PF_MPROTECT)
- ei_flags &= ~HF_PAX_MPROTECT;
- if(*pax_flags & PF_NOMPROTECT)
- ei_flags |= HF_PAX_MPROTECT;
- if((*pax_flags & PF_MPROTECT) && (*pax_flags & PF_NOMPROTECT))
- ei_flags &= ~HF_PAX_MPROTECT;
-
- //EMUTRAMP
- if(*pax_flags & PF_EMUTRAMP)
- ei_flags |= HF_PAX_EMUTRAMP;
- if(*pax_flags & PF_NOEMUTRAMP)
- ei_flags &= ~HF_PAX_EMUTRAMP;
- if((*pax_flags & PF_EMUTRAMP) && (*pax_flags & PF_NOEMUTRAMP))
- ei_flags &= ~HF_PAX_EMUTRAMP;
-
- //RANDMMAP
- if(*pax_flags & PF_RANDMMAP)
- ei_flags &= ~HF_PAX_RANDMMAP;
- if(*pax_flags & PF_NORANDMMAP)
- ei_flags |= HF_PAX_RANDMMAP;
- if((*pax_flags & PF_RANDMMAP) && (*pax_flags & PF_NORANDMMAP))
- ei_flags &= ~HF_PAX_RANDMMAP;
-
- //RANDEXEC
- if(*pax_flags & PF_RANDEXEC)
- ei_flags |= HF_PAX_RANDEXEC;
- if(*pax_flags & PF_NORANDEXEC)
- ei_flags &= ~HF_PAX_RANDEXEC;
- if((*pax_flags & PF_RANDEXEC) && (*pax_flags & PF_NORANDEXEC))
- ei_flags |= HF_PAX_RANDEXEC;
-
-
- ehdr.e_ident[EI_PAX] = (uint8_t)ei_flags ;
- ehdr.e_ident[EI_PAX + 1] = (uint8_t)(ei_flags >> 8) ;
-
- if(!gelf_update_ehdr(elf, &ehdr))
- error(EXIT_FAILURE, 0, "gelf_update_ehdr(): %s", elf_errmsg(elf_errno()));
-
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; ++i)
{
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2011-10-20 14:12 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-10-20 14:12 UTC (permalink / raw
To: gentoo-commits
commit: 284875fb709fb1bf5530c78491c9a39539104f25
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 20 14:12:50 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 20 14:12:50 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=284875fb
scripts/paxmodule.c: add XT_PAX read support
---
scripts/paxmodule.c | 167 +++++++++++++++++++++++++++++++++++----------------
src/paxctl-ng.c | 6 +-
2 files changed, 120 insertions(+), 53 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index 9cffb12..6a158fc 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -3,13 +3,15 @@
#include <string.h>
#include <gelf.h>
+#include <attr/xattr.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
-#define BUF_SIZE 7 //Buffer for holding human readable flags
+#define BUF_SIZE 7 //Buffer size for holding human readable flags
+#define PAX_NAMESPACE "user.pax"
static PyObject * pax_getflags(PyObject *, PyObject *);
@@ -38,45 +40,30 @@ initpax(void)
}
-static PyObject *
-pax_getflags(PyObject *self, PyObject *args)
+uint16_t
+read_pt_flags(int fd)
{
- const char *f_name;
- int fd;
Elf *elf;
-
- char pax_buf[BUF_SIZE];
- uint16_t pax_flags;
-
GElf_Phdr phdr;
- char found_pt_pax;
size_t i, phnum;
- memset(pax_buf, 0, BUF_SIZE);
+ uint16_t pt_flags;
+ char found_pt_pax;
- if (!PyArg_ParseTuple(args, "s", &f_name))
- {
- PyErr_SetString(PaxError, "pax_getflags: PyArg_ParseTuple failed");
- return NULL;
- }
+ pt_flags = UINT16_MAX;
if(elf_version(EV_CURRENT) == EV_NONE)
{
+ close(fd);
PyErr_SetString(PaxError, "pax_getflags: library out of date");
- return NULL;
- }
-
- if((fd = open(f_name, O_RDONLY)) < 0)
- {
- PyErr_SetString(PaxError, "pax_getflags: open() failed");
- return NULL;
+ return pt_flags;
}
if((elf = elf_begin(fd, ELF_C_READ_MMAP, NULL)) == NULL)
{
close(fd);
PyErr_SetString(PaxError, "pax_getflags: elf_begin() failed");
- return NULL;
+ return pt_flags;
}
if(elf_kind(elf) != ELF_K_ELF)
@@ -84,53 +71,131 @@ pax_getflags(PyObject *self, PyObject *args)
elf_end(elf);
close(fd);
PyErr_SetString(PaxError, "pax_getflags: elf_kind() failed: this is not an elf file.");
- return NULL;
+ return pt_flags;
}
-
found_pt_pax = 0;
- pax_flags = 0;
-
elf_getphdrnum(elf, &phnum);
- for(i=0; i<phnum; ++i)
+
+ for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
- {
- elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_getflags: gelf_getphdr() failed");
- return NULL;
- }
+ error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
if(phdr.p_type == PT_PAX_FLAGS)
{
found_pt_pax = 1;
- pax_flags = phdr.p_flags;
+ pt_flags = phdr.p_flags;
+ }
+ }
- pax_buf[0] = pax_flags & PF_PAGEEXEC ? 'P' :
- pax_flags & PF_NOPAGEEXEC ? 'p' : '-' ;
+ if(!found_pt_pax)
+ printf("PT_PAX: not found\n");
- pax_buf[1] = pax_flags & PF_SEGMEXEC ? 'S' :
- pax_flags & PF_NOSEGMEXEC ? 's' : '-';
+ return pt_flags;
+}
- pax_buf[2] = pax_flags & PF_MPROTECT ? 'M' :
- pax_flags & PF_NOMPROTECT ? 'm' : '-';
- pax_buf[3] = pax_flags & PF_EMUTRAMP ? 'E' :
- pax_flags & PF_NOEMUTRAMP ? 'e' : '-';
+uint16_t
+read_xt_flags(int fd)
+{
+ uint16_t xt_flags;
- pax_buf[4] = pax_flags & PF_RANDMMAP ? 'R' :
- pax_flags & PF_NORANDMMAP ? 'r' : '-';
+ xt_flags = UINT16_MAX;
- pax_buf[5] = pax_flags & PF_RANDEXEC ? 'X' :
- pax_flags & PF_NORANDEXEC ? 'x' : '-';
+ if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
+ {
+ // ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
+ // ENOATTR = xattrs supported, PAX_NAMESPACE not present
+ if(errno == ERANGE || errno == ENOATTR)
+ {
+ printf("XT_PAX: not present or corrupted\n");
+ /*
+ printf("XT_PAX: creating/repairing flags\n");
+ xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
+ if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
+ {
+ xt_flags = UINT16_MAX;
+ if(errno == ENOSPC || errno == EDQUOT)
+ printf("XT_PAX: access error\n");
+ if(errno == ENOTSUP)
+ printf("XT_PAX: not supported\n");
+ }
+ */
}
+
+ // ENOTSUP = xattrs not supported
+ if(errno == ENOTSUP)
+ printf("XT_PAX: not supported\n");
}
- elf_end(elf);
- close(fd);
+ return xt_flags;
+}
+
+
+void
+bin2string(uint16_t flags, char *buf)
+{
+ buf[0] = flags & PF_PAGEEXEC ? 'P' :
+ flags & PF_NOPAGEEXEC ? 'p' : '-' ;
+
+ buf[1] = flags & PF_SEGMEXEC ? 'S' :
+ flags & PF_NOSEGMEXEC ? 's' : '-';
+
+ buf[2] = flags & PF_MPROTECT ? 'M' :
+ flags & PF_NOMPROTECT ? 'm' : '-';
+
+ buf[3] = flags & PF_EMUTRAMP ? 'E' :
+ flags & PF_NOEMUTRAMP ? 'e' : '-';
+
+ buf[4] = flags & PF_RANDMMAP ? 'R' :
+ flags & PF_NORANDMMAP ? 'r' : '-';
+
+ buf[5] = flags & PF_RANDEXEC ? 'X' :
+ flags & PF_NORANDEXEC ? 'x' : '-';
+}
+
+
+static PyObject *
+pax_getflags(PyObject *self, PyObject *args)
+{
+ const char *f_name;
+ int fd;
+
+ uint16_t flags;
+ char buf[BUF_SIZE];
+
+ memset(buf, 0, BUF_SIZE);
+
+ if (!PyArg_ParseTuple(args, "s", &f_name))
+ {
+ PyErr_SetString(PaxError, "pax_getflags: PyArg_ParseTuple failed");
+ return NULL;
+ }
+
+ if((fd = open(f_name, O_RDONLY)) < 0)
+ {
+ PyErr_SetString(PaxError, "pax_getflags: open() failed");
+ return NULL;
+ }
+
+ flags = read_xt_flags(fd);
+ if( flags != UINT16_MAX )
+ {
+ memset(buf, 0, BUF_SIZE);
+ bin2string(flags, buf);
+ }
+ else
+ {
+ flags = read_pt_flags(fd);
+ if( flags != UINT16_MAX )
+ {
+ memset(buf, 0, BUF_SIZE);
+ bin2string(flags, buf);
+ }
+ }
- return Py_BuildValue("si", pax_buf, pax_flags);
+ return Py_BuildValue("si", buf, flags);
}
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index 0df3a59..70c2a2c 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -34,7 +34,7 @@
#include <config.h>
-#define PAX_NAMESPACE "trusted.pax"
+#define PAX_NAMESPACE "user.pax"
#define BUF_SIZE 7
void
@@ -197,11 +197,12 @@ read_xt_flags(int fd)
if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
{
-
// ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
// ENOATTR = xattrs supported, PAX_NAMESPACE not present
if(errno == ERANGE || errno == ENOATTR)
{
+ printf("XT_PAX: not present or corrupted\n");
+ /*
printf("XT_PAX: creating/repairing flags\n");
xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
@@ -211,6 +212,7 @@ read_xt_flags(int fd)
if(errno == ENOTSUP)
printf("XT_PAX: not supported\n");
}
+ */
}
// ENOTSUP = xattrs not supported
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2011-10-20 17:09 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-10-20 17:09 UTC (permalink / raw
To: gentoo-commits
commit: b0e634a482a5eab43b58e2d35aee54cfa38fea88
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 20 17:09:22 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 20 17:09:22 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=b0e634a4
scripts/paxmodule.c: add XT_PAX write support, code cleanup
---
scripts/paxmodule.c | 172 +++++++++++++++++++++++++++++++--------------------
src/paxctl-ng.c | 146 ++++++++++++++++++++++++++++---------------
2 files changed, 198 insertions(+), 120 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index 6a158fc..c5a7aa6 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -1,3 +1,21 @@
+/*
+ paxmodule.c: python module to get/set pax flags on an ELF object
+ Copyright (C) 2011 Anthony G. Basile
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
#include <Python.h>
#include <string.h>
@@ -41,63 +59,54 @@ initpax(void)
uint16_t
-read_pt_flags(int fd)
+get_pt_flags(int fd)
{
Elf *elf;
GElf_Phdr phdr;
size_t i, phnum;
uint16_t pt_flags;
- char found_pt_pax;
pt_flags = UINT16_MAX;
if(elf_version(EV_CURRENT) == EV_NONE)
{
- close(fd);
- PyErr_SetString(PaxError, "pax_getflags: library out of date");
+ PyErr_SetString(PaxError, "get_pt_flags: library out of date");
return pt_flags;
}
if((elf = elf_begin(fd, ELF_C_READ_MMAP, NULL)) == NULL)
{
- close(fd);
- PyErr_SetString(PaxError, "pax_getflags: elf_begin() failed");
+ PyErr_SetString(PaxError, "get_pt_flags: elf_begin() failed");
return pt_flags;
}
if(elf_kind(elf) != ELF_K_ELF)
{
elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_getflags: elf_kind() failed: this is not an elf file.");
+ PyErr_SetString(PaxError, "get_pt_flags: elf_kind() failed: this is not an elf file.");
return pt_flags;
}
- found_pt_pax = 0;
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
- error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ PyErr_SetString(PaxError, "get_pt_flags: gelf_getphdr() failed: could not get phdr.");
if(phdr.p_type == PT_PAX_FLAGS)
- {
- found_pt_pax = 1;
pt_flags = phdr.p_flags;
- }
}
- if(!found_pt_pax)
- printf("PT_PAX: not found\n");
+ elf_end(elf);
return pt_flags;
}
uint16_t
-read_xt_flags(int fd)
+get_xt_flags(int fd)
{
uint16_t xt_flags;
@@ -105,28 +114,31 @@ read_xt_flags(int fd)
if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
{
+ /*
// ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
// ENOATTR = xattrs supported, PAX_NAMESPACE not present
if(errno == ERANGE || errno == ENOATTR)
{
- printf("XT_PAX: not present or corrupted\n");
- /*
- printf("XT_PAX: creating/repairing flags\n");
+ //XT_PAX: not present or corrupted
+
+ //BEGIN: create flags
+ PyErr_SetString(PaxError, "XT_PAX: creating/repairing flags");
xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
{
xt_flags = UINT16_MAX;
if(errno == ENOSPC || errno == EDQUOT)
- printf("XT_PAX: access error\n");
+ PyErr_SetString(PaxError, "XT_PAX: access error");
if(errno == ENOTSUP)
- printf("XT_PAX: not supported\n");
+ PyErr_SetString(PaxError, "XT_PAX: not supported");
}
- */
+ // END: create flags
}
// ENOTSUP = xattrs not supported
if(errno == ENOTSUP)
- printf("XT_PAX: not supported\n");
+ PyErr_SetString(PaxError, "XT_PAX: not supported\n");
+ */
}
return xt_flags;
@@ -161,9 +173,8 @@ pax_getflags(PyObject *self, PyObject *args)
{
const char *f_name;
int fd;
-
- uint16_t flags;
- char buf[BUF_SIZE];
+ uint16_t flags;
+ char buf[BUF_SIZE];
memset(buf, 0, BUF_SIZE);
@@ -179,96 +190,121 @@ pax_getflags(PyObject *self, PyObject *args)
return NULL;
}
- flags = read_xt_flags(fd);
- if( flags != UINT16_MAX )
- {
- memset(buf, 0, BUF_SIZE);
- bin2string(flags, buf);
- }
+ flags = get_xt_flags(fd);
+ if( flags != UINT16_MAX )
+ {
+ memset(buf, 0, BUF_SIZE);
+ bin2string(flags, buf);
+ }
else
{
- flags = read_pt_flags(fd);
- if( flags != UINT16_MAX )
+ flags = get_pt_flags(fd);
+ if( flags != UINT16_MAX )
{
memset(buf, 0, BUF_SIZE);
bin2string(flags, buf);
}
}
+ close(fd);
+
return Py_BuildValue("si", buf, flags);
}
-static PyObject *
-pax_setflags(PyObject *self, PyObject *args)
+void
+set_pt_flags(int fd, uint16_t pt_flags)
{
- const char *f_name;
- uint16_t pax_flags;
- int fd;
-
Elf *elf;
GElf_Phdr phdr;
size_t i, phnum;
- if (!PyArg_ParseTuple(args, "si", &f_name, &pax_flags))
- {
- PyErr_SetString(PaxError, "pax_setflags: PyArg_ParseTuple failed");
- return NULL;
- }
-
if(elf_version(EV_CURRENT) == EV_NONE)
{
- PyErr_SetString(PaxError, "pax_setflags: library out of date");
- return NULL;
- }
-
- if((fd = open(f_name, O_RDWR)) < 0)
- {
- PyErr_SetString(PaxError, "pax_setflags: open() failed");
- return NULL;
+ PyErr_SetString(PaxError, "set_pt_flags: library out of date");
+ return;
}
if((elf = elf_begin(fd, ELF_C_RDWR_MMAP, NULL)) == NULL)
{
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: elf_begin() failed");
- return NULL;
+ PyErr_SetString(PaxError, "set_pt_flags: elf_begin() failed");
+ return;
}
if(elf_kind(elf) != ELF_K_ELF)
{
elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: elf_kind() failed: this is not an elf file.");
- return NULL;
+ PyErr_SetString(PaxError, "set_pt_flags: elf_kind() failed: this is not an elf file.");
+ return;
}
elf_getphdrnum(elf, &phnum);
- for(i=0; i<phnum; ++i)
+
+ for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
{
elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: gelf_getphdr() failed");
- return NULL;
+ PyErr_SetString(PaxError, "set_pt_flags: gelf_getphdr() failed");
+ return;
}
if(phdr.p_type == PT_PAX_FLAGS)
{
- phdr.p_flags = pax_flags;
+ phdr.p_flags = pt_flags;
if(!gelf_update_phdr(elf, i, &phdr))
{
elf_end(elf);
- close(fd);
- PyErr_SetString(PaxError, "pax_setflags: gelf_update_phdr() failed");
- return NULL;
+ PyErr_SetString(PaxError, "set_pt_flags: gelf_update_phdr() failed");
+ return;
}
}
}
elf_end(elf);
+}
+
+
+void
+set_xt_flags(int fd, uint16_t xt_flags)
+{
+ if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
+ {
+ /*
+ if(errno == ENOSPC || errno == EDQUOT)
+ PyErr_SetString(PaxError, "XT_PAX: access error");
+ if(errno == ENOTSUP)
+ PyErr_SetString(PaxError, "XT_PAX: not supported\n");
+ */
+ }
+}
+
+
+static PyObject *
+pax_setflags(PyObject *self, PyObject *args)
+{
+ const char *f_name;
+ int fd, iflags;
+ uint16_t flags;
+
+ if (!PyArg_ParseTuple(args, "si", &f_name, &iflags))
+ {
+ PyErr_SetString(PaxError, "pax_setflags: PyArg_ParseTuple failed");
+ return NULL;
+ }
+
+ if((fd = open(f_name, O_RDWR)) < 0)
+ {
+ PyErr_SetString(PaxError, "pax_setflags: open() failed");
+ return NULL;
+ }
+
+ flags = (uint16_t) iflags;
+
+ set_pt_flags(fd, flags);
+ set_xt_flags(fd, flags);
+
close(fd);
return Py_BuildValue("");
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index 70c2a2c..aaeadaf 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -128,7 +128,7 @@ parse_cmd_args(int c, char *v[], uint16_t *pax_flags, int *view_flags)
break ;
case 'Z':
*pax_flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
- PF_NOEMUTRAMP | PF_RANDMMAP | PF_RANDEXEC;
+ PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
compat += 1;
break ;
case 'z':
@@ -157,15 +157,35 @@ parse_cmd_args(int c, char *v[], uint16_t *pax_flags, int *view_flags)
uint16_t
-read_pt_flags(Elf *elf)
+get_pt_flags(int fd)
{
+ Elf *elf;
GElf_Phdr phdr;
size_t i, phnum;
uint16_t pt_flags;
- char found_pt_pax;
- found_pt_pax = 0;
+ pt_flags = UINT16_MAX;
+
+ if(elf_version(EV_CURRENT) == EV_NONE)
+ {
+ error(EXIT_FAILURE, 0, "Library out of date.");
+ return;
+ }
+
+ if((elf = elf_begin(fd, ELF_C_READ_MMAP, NULL)) == NULL)
+ {
+ error(EXIT_FAILURE, 0, "elf_begin() fail: %s", elf_errmsg(elf_errno()));
+ return;
+ }
+
+ if(elf_kind(elf) != ELF_K_ELF)
+ {
+ elf_end(elf);
+ error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
+ return;
+ }
+
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; i++)
@@ -174,27 +194,22 @@ read_pt_flags(Elf *elf)
error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
if(phdr.p_type == PT_PAX_FLAGS)
- {
- found_pt_pax = 1;
pt_flags = phdr.p_flags;
- }
}
- if(!found_pt_pax)
- {
- printf("PT_PAX: not found\n");
- pt_flags = UINT16_MAX;
- }
+ elf_end(elf);
return pt_flags;
}
uint16_t
-read_xt_flags(int fd)
+get_xt_flags(int fd)
{
uint16_t xt_flags;
+ xt_flags = UINT16_MAX;
+
if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
{
// ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
@@ -207,6 +222,7 @@ read_xt_flags(int fd)
xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
{
+ xt_flags = UINT16_MAX;
if(errno == ENOSPC || errno == EDQUOT)
printf("XT_PAX: access error\n");
if(errno == ENOTSUP)
@@ -217,10 +233,7 @@ read_xt_flags(int fd)
// ENOTSUP = xattrs not supported
if(errno == ENOTSUP)
- {
- xt_flags = UINT16_MAX; //invalid value
printf("XT_PAX: not supported\n");
- }
}
return xt_flags;
@@ -251,21 +264,29 @@ bin2string(uint16_t flags, char *buf)
void
-print_flags(int fd, Elf *elf)
+print_flags(int fd)
{
uint16_t flags;
char buf[BUF_SIZE];
- flags = read_pt_flags(elf);
- if( flags != UINT16_MAX )
+ flags = get_pt_flags(fd);
+ if( flags == UINT16_MAX )
+ {
+ printf("PT_PAX: not found\n");
+ }
+ else
{
memset(buf, 0, BUF_SIZE);
bin2string(flags, buf);
printf("PT_PAX: %s\n", buf);
}
- flags = read_xt_flags(fd);
- if( flags != UINT16_MAX )
+ flags = get_xt_flags(fd);
+ if( flags == UINT16_MAX )
+ {
+ printf("XT_PAX: not found\n");
+ }
+ else
{
memset(buf, 0, BUF_SIZE);
bin2string(flags, buf);
@@ -385,25 +406,56 @@ new_flags(uint16_t flags, uint16_t pax_flags)
void
-set_pt_flags(Elf *elf, uint16_t pt_flags)
+set_pt_flags(int fd, uint16_t pt_flags)
{
+ Elf *elf;
GElf_Phdr phdr;
size_t i, phnum;
+ if(elf_version(EV_CURRENT) == EV_NONE)
+ {
+ error(EXIT_FAILURE, 0, "Library out of date.");
+ return;
+ }
+
+ if((elf = elf_begin(fd, ELF_C_RDWR_MMAP, NULL)) == NULL)
+ {
+ error(EXIT_FAILURE, 0, "elf_begin() fail: %s", elf_errmsg(elf_errno()));
+ return;
+ }
+
+ if(elf_kind(elf) != ELF_K_ELF)
+ {
+ elf_end(elf);
+ error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
+ return;
+ }
+
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
+ {
+ elf_end(elf);
error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ return;
+ }
if(phdr.p_type == PT_PAX_FLAGS)
{
phdr.p_flags = pt_flags;
+
if(!gelf_update_phdr(elf, i, &phdr))
+ {
+ elf_end(elf);
error(EXIT_FAILURE, 0, "gelf_update_phdr(): %s", elf_errmsg(elf_errno()));
+ return;
+ }
}
}
+
+ elf_end(elf);
}
@@ -421,56 +473,46 @@ set_xt_flags(int fd, uint16_t xt_flags)
void
-set_flags(int fd, Elf *elf, uint16_t *pax_flags)
+set_flags(int fd, uint16_t *pax_flags)
{
uint16_t flags;
- flags = read_pt_flags(elf);
- if( flags != UINT16_MAX )
- {
- flags = new_flags( flags, *pax_flags);
- set_pt_flags(elf, flags);
- }
-
- flags = read_xt_flags(fd);
- if( flags != UINT16_MAX )
- {
- flags = new_flags( flags, *pax_flags);
- set_xt_flags(fd, flags);
- }
+ flags = get_pt_flags(fd);
+ if( flags == UINT16_MAX )
+ flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
+ PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
+ flags = new_flags( flags, *pax_flags);
+ set_pt_flags(fd, flags);
+
+ flags = get_xt_flags(fd);
+ if( flags == UINT16_MAX )
+ flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
+ PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
+ flags = new_flags( flags, *pax_flags);
+ set_xt_flags(fd, flags);
}
int
main( int argc, char *argv[])
{
+ const char *f_name;
int fd;
- uint16_t pax_flags;
+ uint16_t flags;
int view_flags;
- char *f_name;
Elf *elf;
- f_name = parse_cmd_args(argc, argv, &pax_flags, &view_flags);
-
- if(elf_version(EV_CURRENT) == EV_NONE)
- error(EXIT_FAILURE, 0, "Library out of date.");
+ f_name = parse_cmd_args(argc, argv, &flags, &view_flags);
if((fd = open(f_name, O_RDWR)) < 0)
error(EXIT_FAILURE, 0, "open() fail.");
- if((elf = elf_begin(fd, ELF_C_RDWR_MMAP, NULL)) == NULL)
- error(EXIT_FAILURE, 0, "elf_begin() fail: %s", elf_errmsg(elf_errno()));
-
- if(elf_kind(elf) != ELF_K_ELF)
- error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
-
- if(pax_flags != 0)
- set_flags(fd, elf, &pax_flags);
+ if(flags != 0)
+ set_flags(fd, &flags);
if(view_flags == 1)
- print_flags(fd, elf);
+ print_flags(fd);
- elf_end(elf);
close(fd);
}
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2011-10-20 18:12 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-10-20 18:12 UTC (permalink / raw
To: gentoo-commits
commit: 1efd8ec798c7ae81e19d1b781fa119e07552d538
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 20 18:12:31 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Oct 20 18:12:31 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=1efd8ec7
src/paxctl-ng.c: clean up error handling
---
scripts/paxmodule.c | 50 ++++++------------------------------------
src/paxctl-ng.c | 60 +++++++++-----------------------------------------
2 files changed, 18 insertions(+), 92 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index c5a7aa6..ed74430 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -65,9 +65,7 @@ get_pt_flags(int fd)
GElf_Phdr phdr;
size_t i, phnum;
- uint16_t pt_flags;
-
- pt_flags = UINT16_MAX;
+ uint16_t pt_flags = UINT16_MAX;
if(elf_version(EV_CURRENT) == EV_NONE)
{
@@ -93,7 +91,10 @@ get_pt_flags(int fd)
for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
+ {
PyErr_SetString(PaxError, "get_pt_flags: gelf_getphdr() failed: could not get phdr.");
+ return pt_flags;
+ }
if(phdr.p_type == PT_PAX_FLAGS)
pt_flags = phdr.p_flags;
@@ -108,38 +109,9 @@ get_pt_flags(int fd)
uint16_t
get_xt_flags(int fd)
{
- uint16_t xt_flags;
-
- xt_flags = UINT16_MAX;
-
- if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
- {
- /*
- // ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
- // ENOATTR = xattrs supported, PAX_NAMESPACE not present
- if(errno == ERANGE || errno == ENOATTR)
- {
- //XT_PAX: not present or corrupted
+ uint16_t xt_flags = UINT16_MAX;
- //BEGIN: create flags
- PyErr_SetString(PaxError, "XT_PAX: creating/repairing flags");
- xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
- if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
- {
- xt_flags = UINT16_MAX;
- if(errno == ENOSPC || errno == EDQUOT)
- PyErr_SetString(PaxError, "XT_PAX: access error");
- if(errno == ENOTSUP)
- PyErr_SetString(PaxError, "XT_PAX: not supported");
- }
- // END: create flags
- }
-
- // ENOTSUP = xattrs not supported
- if(errno == ENOTSUP)
- PyErr_SetString(PaxError, "XT_PAX: not supported\n");
- */
- }
+ fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t));
return xt_flags;
}
@@ -269,15 +241,7 @@ set_pt_flags(int fd, uint16_t pt_flags)
void
set_xt_flags(int fd, uint16_t xt_flags)
{
- if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
- {
- /*
- if(errno == ENOSPC || errno == EDQUOT)
- PyErr_SetString(PaxError, "XT_PAX: access error");
- if(errno == ENOTSUP)
- PyErr_SetString(PaxError, "XT_PAX: not supported\n");
- */
- }
+ fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0);
}
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index aaeadaf..8d9bf55 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -163,27 +163,18 @@ get_pt_flags(int fd)
GElf_Phdr phdr;
size_t i, phnum;
- uint16_t pt_flags;
-
- pt_flags = UINT16_MAX;
+ uint16_t pt_flags = UINT16_MAX;
if(elf_version(EV_CURRENT) == EV_NONE)
- {
error(EXIT_FAILURE, 0, "Library out of date.");
- return;
- }
if((elf = elf_begin(fd, ELF_C_READ_MMAP, NULL)) == NULL)
- {
error(EXIT_FAILURE, 0, "elf_begin() fail: %s", elf_errmsg(elf_errno()));
- return;
- }
if(elf_kind(elf) != ELF_K_ELF)
{
elf_end(elf);
error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
- return;
}
elf_getphdrnum(elf, &phnum);
@@ -191,14 +182,16 @@ get_pt_flags(int fd)
for(i=0; i<phnum; i++)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
+ {
+ elf_end(elf);
error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ }
if(phdr.p_type == PT_PAX_FLAGS)
pt_flags = phdr.p_flags;
}
elf_end(elf);
-
return pt_flags;
}
@@ -206,32 +199,16 @@ get_pt_flags(int fd)
uint16_t
get_xt_flags(int fd)
{
- uint16_t xt_flags;
-
- xt_flags = UINT16_MAX;
+ uint16_t xt_flags = UINT16_MAX;
if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
{
- // ERANGE = xattrs supported, PAX_NAMESPACE present, but wrong size
- // ENOATTR = xattrs supported, PAX_NAMESPACE not present
- if(errno == ERANGE || errno == ENOATTR)
- {
- printf("XT_PAX: not present or corrupted\n");
- /*
- printf("XT_PAX: creating/repairing flags\n");
- xt_flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
- if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
- {
- xt_flags = UINT16_MAX;
- if(errno == ENOSPC || errno == EDQUOT)
- printf("XT_PAX: access error\n");
- if(errno == ENOTSUP)
- printf("XT_PAX: not supported\n");
- }
- */
- }
+ if(errno == ERANGE )
+ printf("XT_PAX: corrupted\n");
+
+ if( errno == ENOATTR)
+ printf("XT_PAX: not present\n");
- // ENOTSUP = xattrs not supported
if(errno == ENOTSUP)
printf("XT_PAX: not supported\n");
}
@@ -271,9 +248,7 @@ print_flags(int fd)
flags = get_pt_flags(fd);
if( flags == UINT16_MAX )
- {
printf("PT_PAX: not found\n");
- }
else
{
memset(buf, 0, BUF_SIZE);
@@ -283,9 +258,7 @@ print_flags(int fd)
flags = get_xt_flags(fd);
if( flags == UINT16_MAX )
- {
printf("XT_PAX: not found\n");
- }
else
{
memset(buf, 0, BUF_SIZE);
@@ -413,22 +386,15 @@ set_pt_flags(int fd, uint16_t pt_flags)
size_t i, phnum;
if(elf_version(EV_CURRENT) == EV_NONE)
- {
error(EXIT_FAILURE, 0, "Library out of date.");
- return;
- }
if((elf = elf_begin(fd, ELF_C_RDWR_MMAP, NULL)) == NULL)
- {
error(EXIT_FAILURE, 0, "elf_begin() fail: %s", elf_errmsg(elf_errno()));
- return;
}
-
if(elf_kind(elf) != ELF_K_ELF)
{
elf_end(elf);
error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
- return;
}
elf_getphdrnum(elf, &phnum);
@@ -439,7 +405,6 @@ set_pt_flags(int fd, uint16_t pt_flags)
{
elf_end(elf);
error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
- return;
}
if(phdr.p_type == PT_PAX_FLAGS)
@@ -450,7 +415,6 @@ set_pt_flags(int fd, uint16_t pt_flags)
{
elf_end(elf);
error(EXIT_FAILURE, 0, "gelf_update_phdr(): %s", elf_errmsg(elf_errno()));
- return;
}
}
}
@@ -465,7 +429,7 @@ set_xt_flags(int fd, uint16_t xt_flags)
if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
{
if(errno == ENOSPC || errno == EDQUOT)
- printf("XT_PAX: access error\n");
+ printf("XT_PAX: insufficient space\n");
if(errno == ENOTSUP)
printf("XT_PAX: not supported\n");
}
@@ -501,8 +465,6 @@ main( int argc, char *argv[])
uint16_t flags;
int view_flags;
- Elf *elf;
-
f_name = parse_cmd_args(argc, argv, &flags, &view_flags);
if((fd = open(f_name, O_RDWR)) < 0)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2011-10-21 21:19 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-10-21 21:19 UTC (permalink / raw
To: gentoo-commits
commit: 140d0f2e1dac6d5c4c8943025d204bcb1d3bfe20
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 21 21:19:46 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Oct 21 21:19:46 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=140d0f2e
src/paxctl-ng.c: prepare -C -c -F -f flags
---
scripts/paxmodule.c | 1 -
src/paxctl-ng.c | 81 ++++++++++++++++++++++++++++----------------------
2 files changed, 45 insertions(+), 37 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index ed74430..a106ff5 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -112,7 +112,6 @@ get_xt_flags(int fd)
uint16_t xt_flags = UINT16_MAX;
fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t));
-
return xt_flags;
}
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index dccd8ac..b77b6f8 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -46,7 +46,9 @@ print_help(char *v)
"Bug Reports : " PACKAGE_BUGREPORT "\n"
"Program Name : %s\n"
"Description : Get or set pax flags on an ELF object\n\n"
- "Usage : %s -PpEeMmRrXxSsv ELF | -Zv ELF | -zv ELF | -h\n\n"
+ "Usage : %s -PpEeMmRrXxSsv ELF | -Zv ELF | -zv ELF\n"
+ " : %s -Cv ELF | -cv ELF | Fv ELF | -fv ELF\n"
+ " : %s -v ELF | -h\n\n"
"Options : -P enable PAGEEXEC\t-p disable PAGEEXEC\n"
" : -S enable SEGMEXEC\t-s disable SEGMEXEC\n"
" : -M enable MPROTECT\t-m disable MPROTECT\n"
@@ -54,10 +56,16 @@ print_help(char *v)
" : -R enable RANDMMAP\t-r disable RANDMMAP\n"
" : -X enable RANDEXEC\t-x disable RANDEXEC\n"
" : -Z most secure settings\t-z all default settings\n"
- " : -v view the flags\n"
+ " : -C create XT_PAX with most secure setting\n"
+ " : -c create XT_PAX all default settings\n"
+ " : -F copy PT_PAX to XT_PAX\n"
+ " : -f copy XT_PAX to PT_PAX\n"
+ " : -v view the flags, along with any accompanying operation\n"
" : -h print out this help\n\n"
"Note : If both enabling and disabling flags are set, the default - is used\n\n",
basename(v),
+ basename(v),
+ basename(v),
basename(v)
);
@@ -69,13 +77,13 @@ char *
parse_cmd_args(int c, char *v[], uint16_t *pax_flags, int *view_flags)
{
int i, oc;
- int compat;
+ int compat, solitaire;
compat = 0;
-
+ solitaire = 0;
*pax_flags = 0;
*view_flags = 0;
- while((oc = getopt(c, v,":PpEeMmRrXxSsZzvh")) != -1)
+ while((oc = getopt(c, v,":PpEeMmRrXxSsZzCcFfvh")) != -1)
switch(oc)
{
case 'P':
@@ -129,17 +137,28 @@ parse_cmd_args(int c, char *v[], uint16_t *pax_flags, int *view_flags)
case 'Z':
*pax_flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
- compat += 1;
+ solitaire += 1;
break ;
case 'z':
*pax_flags = PF_PAGEEXEC | PF_NOPAGEEXEC | PF_SEGMEXEC | PF_NOSEGMEXEC |
PF_MPROTECT | PF_NOMPROTECT | PF_EMUTRAMP | PF_NOEMUTRAMP |
PF_RANDMMAP | PF_NORANDMMAP | PF_RANDEXEC | PF_NORANDEXEC;
- compat += 1;
+ solitaire += 1;
+ break;
+ case 'C':
+ solitaire += 1;
+ break;
+ case 'c':
+ solitaire += 1;
+ break;
+ case 'F':
+ solitaire += 1;
+ break;
+ case 'f':
+ solitaire += 1;
break;
case 'v':
*view_flags = 1;
- compat |= 1;
break;
case 'h':
print_help(v[0]);
@@ -149,10 +168,17 @@ parse_cmd_args(int c, char *v[], uint16_t *pax_flags, int *view_flags)
error(EXIT_FAILURE, 0, "option -%c is invalid: ignored.", optopt ) ;
}
- if(compat != 1 || v[optind] == NULL)
+ if
+ (
+ (
+ (compat == 1 && solitaire == 0) ||
+ (compat == 0 && solitaire == 1) ||
+ (compat == 0 && solitaire == 0 && *view_flags == 1)
+ ) && v[optind] != NULL
+ )
+ return v[optind] ;
+ else
print_help(v[0]);
-
- return v[optind] ;
}
@@ -201,16 +227,7 @@ get_xt_flags(int fd)
{
uint16_t xt_flags = UINT16_MAX;
- if(fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t)) == -1)
- {
- if(errno == ERANGE )
- printf("XT_PAX: corrupted\n");
- if( errno == ENOATTR)
- printf("XT_PAX: not present\n");
- if(errno == ENOTSUP)
- printf("XT_PAX: not supported\n");
- }
-
+ fgetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t));
return xt_flags;
}
@@ -268,7 +285,7 @@ print_flags(int fd)
uint16_t
-new_flags(uint16_t flags, uint16_t pax_flags)
+update_flags(uint16_t flags, uint16_t pax_flags)
{
//PAGEEXEC
if(pax_flags & PF_PAGEEXEC)
@@ -424,13 +441,7 @@ set_pt_flags(int fd, uint16_t pt_flags)
void
set_xt_flags(int fd, uint16_t xt_flags)
{
- if(fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), 0) == -1)
- {
- if(errno == ENOSPC || errno == EDQUOT)
- printf("XT_PAX: insufficient space\n");
- if(errno == ENOTSUP)
- printf("XT_PAX: not supported\n");
- }
+ fsetxattr(fd, PAX_NAMESPACE, &xt_flags, sizeof(uint16_t), XATTR_REPLACE);
}
@@ -441,16 +452,14 @@ set_flags(int fd, uint16_t *pax_flags)
flags = get_pt_flags(fd);
if( flags == UINT16_MAX )
- flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
- PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
- flags = new_flags( flags, *pax_flags);
+ flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
+ flags = update_flags( flags, *pax_flags);
set_pt_flags(fd, flags);
flags = get_xt_flags(fd);
if( flags == UINT16_MAX )
- flags = PF_PAGEEXEC | PF_SEGMEXEC | PF_MPROTECT |
- PF_NOEMUTRAMP | PF_RANDMMAP | PF_NORANDEXEC;
- flags = new_flags( flags, *pax_flags);
+ flags = PF_NOEMUTRAMP | PF_NORANDEXEC;
+ flags = update_flags( flags, *pax_flags);
set_xt_flags(fd, flags);
}
@@ -468,7 +477,7 @@ main( int argc, char *argv[])
if((fd = open(f_name, O_RDWR)) < 0)
error(EXIT_FAILURE, 0, "open() fail.");
- if(flags != 0)
+ if(flags != 1)
set_flags(fd, &flags);
if(view_flags == 1)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2012-07-21 17:09 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2012-07-21 17:09 UTC (permalink / raw
To: gentoo-commits
commit: 204e81fcca1eca0b1f3f3f5f24c47024a3fa65c4
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 21 17:09:09 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jul 21 17:09:09 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=204e81fc
Replace XATTR_REPLACE with 0 to create on set
---
scripts/paxmodule.c | 2 +-
src/paxctl-ng.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index ba81110..8a3a6e6 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -295,7 +295,7 @@ set_xt_flags(int fd, uint16_t xt_flags)
memset(buf, 0, FLAGS_SIZE);
bin2string(xt_flags, buf);
- fsetxattr(fd, PAX_NAMESPACE, buf, strlen(buf), XATTR_REPLACE);
+ fsetxattr(fd, PAX_NAMESPACE, buf, strlen(buf), 0);
}
#endif
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index 30584db..025ea24 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -513,7 +513,7 @@ set_xt_flags(int fd, uint16_t xt_flags)
memset(buf, 0, FLAGS_SIZE);
bin2string(xt_flags, buf);
- fsetxattr(fd, PAX_NAMESPACE, buf, strlen(buf), XATTR_REPLACE);
+ fsetxattr(fd, PAX_NAMESPACE, buf, strlen(buf), 0);
}
#endif
@@ -617,7 +617,7 @@ main( int argc, char *argv[])
copy_xt_flags(fd, cp_flags, verbose);
#endif
- if(pax_flags != 1)
+ if(pax_flags != 0)
set_flags(fd, &pax_flags, rdwr_pt_pax, verbose);
if(verbose == 1)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, scripts/
@ 2012-11-10 20:52 Anthony G. Basile
0 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2012-11-10 20:52 UTC (permalink / raw
To: gentoo-commits
commit: 1f7b02be034ce0545249b11eea9db27643e0ad60
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 10 20:52:10 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Nov 10 20:52:10 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=1f7b02be
scripts/{paxmodule.c,setup.py}: propagated enable/disable pt/xtpax
---
scripts/paxmodule.c | 60 +++++++++++++++++++++++++++++++++++---------------
scripts/setup.py | 26 ++++++++++++++++------
src/paxctl-ng.c | 2 +-
3 files changed, 62 insertions(+), 26 deletions(-)
diff --git a/scripts/paxmodule.c b/scripts/paxmodule.c
index 9cd1ec3..56cef3a 100644
--- a/scripts/paxmodule.c
+++ b/scripts/paxmodule.c
@@ -19,20 +19,29 @@
#include <Python.h>
#include <string.h>
-
-#include <gelf.h>
-
-#ifdef XTPAX
-#include <attr/xattr.h>
-#endif
-
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
+#ifdef PTPAX
+ #include <gelf.h>
+#else
+ #define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */
+ #define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */
+ #define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */
+ #define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */
+ #define PF_MPROTECT (1 << 8) /* Enable MPROTECT */
+ #define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */
+ #define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */
+ #define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */
+ #define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */
+ #define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */
+#endif
+
#ifdef XTPAX
-#define PAX_NAMESPACE "user.pax.flags"
+ #include <attr/xattr.h>
+ #define PAX_NAMESPACE "user.pax.flags"
#endif
#define FLAGS_SIZE 6
@@ -95,6 +104,7 @@ initpax(void)
}
+#ifdef PTPAX
uint16_t
get_pt_flags(int fd)
{
@@ -141,6 +151,7 @@ get_pt_flags(int fd)
return pt_flags;
}
+#endif
uint16_t
@@ -236,23 +247,30 @@ pax_getflags(PyObject *self, PyObject *args)
return NULL;
}
-#ifdef XTPAX
- flags = get_xt_flags(fd);
+ /* Since the xattr pax flags are obtained second, they
+ * will override the PT_PAX flags values. The pax kernel
+ * expects them to be the same if both PAX_XATTR_PAX_FLAGS
+ * and PAX_PT_PAX_FLAGS else it returns -EINVAL.
+ * (See pax_parse_pax_flags() in fs/binfmt_elf.c.)
+ * Unless migrating, we will document to use one or the
+ * other but not both.
+ */
+
+#ifdef PTPAX
+ flags = get_pt_flags(fd);
if( flags != UINT16_MAX )
{
memset(buf, 0, FLAGS_SIZE);
bin2string(flags, buf);
}
- else
- {
#endif
- flags = get_pt_flags(fd);
- if( flags != UINT16_MAX )
- {
- memset(buf, 0, FLAGS_SIZE);
- bin2string(flags, buf);
- }
+
#ifdef XTPAX
+ flags = get_xt_flags(fd);
+ if( flags != UINT16_MAX )
+ {
+ memset(buf, 0, FLAGS_SIZE);
+ bin2string(flags, buf);
}
#endif
@@ -262,6 +280,7 @@ pax_getflags(PyObject *self, PyObject *args)
}
+#ifdef PTPAX
void
set_pt_flags(int fd, uint16_t pt_flags)
{
@@ -314,6 +333,7 @@ set_pt_flags(int fd, uint16_t pt_flags)
elf_end(elf);
}
+#endif
#ifdef XTPAX
@@ -350,7 +370,9 @@ pax_setbinflags(PyObject *self, PyObject *args)
flags = (uint16_t) iflags;
+#ifdef PTPAX
set_pt_flags(fd, flags);
+#endif
#ifdef XTPAX
set_xt_flags(fd, flags);
@@ -382,7 +404,9 @@ pax_setstrflags(PyObject *self, PyObject *args)
flags = string2bin(sflags);
+#ifdef PTPAX
set_pt_flags(fd, flags);
+#endif
#ifdef XTPAX
set_xt_flags(fd, flags);
diff --git a/scripts/setup.py b/scripts/setup.py
index 8c78279..528cfa0 100755
--- a/scripts/setup.py
+++ b/scripts/setup.py
@@ -3,21 +3,33 @@
import os
from distutils.core import setup, Extension
-xattr = os.getenv('XTPAX')
+ptpax = os.getenv('PTPAX')
+xtpax = os.getenv('XTPAX')
-if xattr != None:
+if ptpax != None and xtpax == None:
module1 = Extension(
name='pax',
sources = ['paxmodule.c'],
- libraries = ['elf', 'attr'],
- define_macros = [('XTPAX', None)]
+ libraries = ['elf'],
+ undef_macros = ['XTPAX'],
+ define_macros = [('PTPAX', 1)]
)
-else:
+
+elif ptpax == None and xtpax != None:
module1 = Extension(
name='pax',
sources = ['paxmodule.c'],
- libraries = ['elf'],
- undef_macros = ['XTPAX']
+ libraries = ['attr'],
+ undef_macros = ['PTPAX'],
+ define_macros = [('PTPAX', 1)]
+ )
+
+if ptpax != None and xtpax != None:
+ module1 = Extension(
+ name='pax',
+ sources = ['paxmodule.c'],
+ libraries = ['elf', 'attr'],
+ define_macros = [('PTPAX', 1), ('XTPAX', 1)]
)
setup(
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index e0e6035..817192d 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -79,7 +79,7 @@ print_help_exit(char *v)
" : -M enable MPROTECT\t-m disable MPROTECT\n"
" : -E enable EMUTRAMP\t-e disable EMUTRAMP\n"
" : -R enable RANDMMAP\t-r disable RANDMMAP\n"
- " : -Z most secure settings\t-z all default settings\n"
+ " : -Z all secure settings\t-z all default settings\n"
#ifdef XTPAX
" : -C create XT_PAX with most secure setting\n"
" : -c create XT_PAX all default settings\n"
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-11-10 20:52 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-20 18:12 [gentoo-commits] proj/elfix:master commit in: src/, scripts/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2012-11-10 20:52 Anthony G. Basile
2012-07-21 17:09 Anthony G. Basile
2011-10-21 21:19 Anthony G. Basile
2011-10-20 17:09 Anthony G. Basile
2011-10-20 14:12 Anthony G. Basile
2011-10-18 18:15 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox