[gentoo-commits] proj/hardened-dev:XT_PAX commit in: /, eclass/

[gentoo-commits] proj/hardened-dev:XT_PAX commit in: /, eclass/

[Anthony G. Basile]

commit:     52850ffd31461646745eb3fddc76c4e7cfb8fe36
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 28 20:46:55 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Nov 28 20:46:55 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=52850ffd

eclass/pax-utils.eclass: wrap paxctl-ng

---
 XT_PAX-howto.txt => HOWTO.txt |   34 ++++++++---
 README                        |   26 ++------
 eclass/pax-utils.eclass       |  135 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 165 insertions(+), 30 deletions(-)

diff --git a/XT_PAX-howto.txt b/HOWTO.txt
similarity index 89%
rename from XT_PAX-howto.txt
rename to HOWTO.txt
index 5d1a2a9..e443b76 100644
--- a/XT_PAX-howto.txt
+++ b/HOWTO.txt
@@ -37,7 +37,14 @@ The goodies are in a branch of the hardened-development overlay:
 	git checkout XT_PAX				# switch branches
 	git pull origin XT_PAX				# and pull
 
-2. Now let's emerge the stuff we'll need later:
+2. We need to override portage's pax-utils.eclass with the overlay's eclass.
+
+cat << EOF >> /etc/portage/repos.conf
+[DEFAULT]
+eclass-overrides = hardened-development
+EOF
+
+3. Now let's emerge the stuff we'll need later:
 
 	emerge =sys-devel/binutils-2.21.1-r2 \		# these are all masked so
 		=sys-kernel/xtpax-sources-3.1.1 \	# we'll have to unmask them
@@ -53,7 +60,7 @@ The goodies are in a branch of the hardened-development overlay:
 	source /etc/profile				# for binutils, if we keep using
 							# the same shell
 
-3. Our version of binutils intentionally excluse the PT_PAX program header from
+4. Our version of binutils intentionally excluse the PT_PAX program header from
 ELF binaries, so let's make sure its really gone
 
 	echo "int main(){;return 0;}" > test.c ; gcc -o test test.c ; readelf -l test
@@ -62,23 +69,22 @@ If you see a PT_PAX header, or possibly one called LOOS+5041580 at the end of th
 (ie after GNU_RELRO), then something went wrong.
 
 
-4. To be safe, let's rebuild our entire toolchain.
+5. To be safe, let's rebuild our entire toolchain.
 
 	emerge gcc glibc binutils
 
-5. Then let's rebuild world
+6. Then let's rebuild world
 
 	emerge --keep-going -eq world
 
 #packages that were not remerged
-	nano - manual remerge fixes it
 	grub - manual remerge fails it (still paxmarked)
 
-6. And finally, let's do any post-world rebuild cleanup:
+7. And finally, let's do any post-world rebuild cleanup:
 
 	etc-update
 
-7. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really
+8. As a final test that all binaries under /bin (or /sbin or /usr/bin etc) really
 have not PT_PAX header:
 
 	paxctl-ng -v /bin/*
@@ -140,9 +146,19 @@ you want to use.  I also recommend xattr support on tmpfs:
 			[*]     Squashfs XATTR support
 		...
 
-3. Compile the kernel and boot.
+3. Compile the kernel and boot.  If you didn't install grub on the MBR before the
+migration, do so now, but be extra careful to make sure it was properly pax marked
+before runnign it from the command line.  paxctl-ng -v /sbin/grub should give
+
+/sbin/grub:
+	PT_PAX: not found
+	XT_PAX: --me-x
+
+If it doesn't that may be because the eclass didn't properly pax mark it!  Do so
+manually if need be:
 
-# I had to reinstall grub to /dev/sda before I could boot
+	paxctl-ng -cv /sbin/grub	# To create the XT_PAX field
+	paxctl-ng -mexv /sbin/grub	# To properly mark it
 
 --------------------------------------------------------------------------------
 

diff --git a/README b/README
index 5ca81f9..60258a5 100644
--- a/README
+++ b/README
@@ -1,23 +1,7 @@
-This overlay is for Hardened Development, this is where we can test hardened toolchain, bugfixes, packages, profiles and eclasses before
-commiting to the tree.
+This is the README only for the XT_PAX branch.  See the README in main branch
+for information about the entire overlay.
 
-Keep the entire overlay to that of gentoo policy, all functions of the overlay will work there way to the tree, once we reach a state
-that is acceptable for use by the users.
+This overlay/branch is to test a pure XT_PAX based system, that is a system in
+which the pax markins are made *only* in the filesystem extended attributes.
+Follow the HOWTO.txt to convert any Gentoo system to a pure XT_PAX based system.
 
-For help on using and testing the overlay please refer to :
-Forum tread http://forums.gentoo.org/viewtopic-t-790110.html
-
-Bugs should be filled on bugs.gentoo.org, please ensure that you make it clear that the bug is
-caused or a part of the hardened-dev overlay, if you are unsure file an advanced bug report and 
-assign to hardened-dev@gentoo.org and someone from dev team will reassign if needed; more 
-The testing branch is if we need to do major change on this overlay.
-
-Commiters:
-Magnus Granberg		(Zorry)			<zorry@gentoo.org>
-Jory A. Pratt		(Anarchy)		<anarchy@gentoo.org>
-Peter Hjalmarsson	(Xake)			<xake@rymdraket.net>
-Anthony G. Basile	(blueness)		<blueness@gentoo.org>
-Chris Richards		(gizmo)			<gizmo@giz-works.com> - SELinux
-Sven Vermeulen		(SwifT)			<sven.vermeulen@siphos.be> - SELinux
-
-2010-11-25 Magnus Granberg (Zorry) <zorry@gentoo.org>

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
new file mode 100644
index 0000000..2ddbf9f
--- /dev/null
+++ b/eclass/pax-utils.eclass
@@ -0,0 +1,135 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.15 2011/08/22 04:46:32 vapier Exp $
+
+# @ECLASS: pax-utils.eclass
+# @MAINTAINER:
+# The Gentoo Linux Hardened Team <hardened@gentoo.org>
+# @AUTHOR:
+# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
+# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
+# Modifications for XT_PAX markings: Anthony G. Basile <blueness@gentoo.org>
+# @BLURB: functions to provide pax markings
+# @DESCRIPTION:
+# This eclass provides support for manipulating PaX markings on ELF binaries,
+# wrapping the use of the paxctl-ng utilities.
+#
+# To control what markings are made, set PAX_MARKINGS in /etc/make.conf to
+# contain either "XT", "PT" or "none".
+#
+# If PAX_MARKINGS is set to "XT" and paxctl-ng is installed, then both XT_PAX
+# and PT_PAX markings will be made, where possible: XT_PAX will not be made if
+# the file system doesn't support extended attributes and PT_PAX will not be
+# made if the ELF binary doesn't have a PT_PAX header.
+#
+# If PAX_MARKINGS is setto "PT" and paxctl is installed, then only PT_PAX
+# markings will be made.
+#
+# Finally, if neither utility is found, or PAX_MARKINGS is set to "none",
+# then no markings will be made.
+#
+# Note: unlike the original pax-utils.eclass, we will not try to use paxctl -c
+# or paxctl -C to convert or create a PT_PAX program header.  Nor will we fall
+# back on scanelf.
+
+inherit eutils
+
+# Default to XT markings.
+PAX_MARKINGS=${PAX_MARKINGS:="XT"}
+
+# @FUNCTION: pax-mark
+# @USAGE: <flags> {<ELF files>}
+# @RETURN: Shell true if we succeed, shell false otherwise
+# @DESCRIPTION:
+# Marks <ELF files> with provided PaX <flags>
+#
+# Flags are passed directly to the utilities unchanged.  Possible flags at the
+# time of writing, taken from /usr/sbin/paxctl-ng, are:
+#
+#	p: disable PAGEEXEC		P: enable PAGEEXEC
+#	e: disable EMUTRMAP		E: enable EMUTRMAP
+#	m: disable MPROTECT		M: enable MPROTECT
+#	r: disable RANDMMAP		R: enable RANDMMAP
+#	s: disable SEGMEXEC		S: enable SEGMEXEC
+#
+# Default flags are 'PeMRS', which are the most restrictive settings.
+# Do not use the obsolete flag 'x'/'X'.
+pax-mark() {
+	local f flags fail=0 failures="" zero_load_alignment
+	# Remove all dashes from the flags
+	flags=${1//-}
+	shift
+	if type -p paxctl-ng > /dev/null && has XT ${PAX_MARKINGS}; then
+		elog "XT PaX marking -${flags}"
+		_pax_list_files elog "$@"
+		for f in "$@"; do
+			paxctl-ng -C "${f}"
+			paxctl-ng -${flags} "${f}" && continue
+			fail=1
+			failures="${failures} ${f}"
+		done
+	elif type -p paxctl > /dev/null && has PT ${PAX_MARKINGS}; then
+		elog "PT PaX marking -${flags}"
+		_pax_list_files elog "$@"
+		for f in "$@"; do
+			paxctl -q${flags} "${f}" && continue
+			fail=1
+			failures="${failures} ${f}"
+		done
+	elif [[ ${PAX_MARKINGS} != "none" ]]; then
+		failures="$*"
+		fail=1
+	fi
+	if [[ ${fail} == 1 ]]; then
+		ewarn "Failed to set PaX markings -${flags} for:"
+		_pax_list_files ewarn ${failures}
+		ewarn "Executables may be killed by PaX kernels."
+	fi
+	return ${fail}
+}
+
+# @FUNCTION: list-paxables
+# @USAGE: {<files>}
+# @RETURN: Subset of {<files>} which are ELF executables or shared objects
+# @DESCRIPTION:
+# Print to stdout all of the <files> that are suitable to have PaX flag
+# markings, i.e., filter out the ELF executables or shared objects from a list
+# of files.  This is useful for passing wild-card lists to pax-mark, although
+# in general it is preferable for ebuilds to list precisely which ELFS are to
+# be marked.  Often not all the ELF installed by a package need remarking.
+# @EXAMPLE:
+# pax-mark -m $(list-paxables ${S}/{,usr/}bin/*)
+list-paxables() {
+	file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//'
+}
+
+# @FUNCTION: host-is-pax
+# @RETURN: Shell true if the build process is PaX enabled, shell false otherwise
+# @DESCRIPTION:
+# This is intended for use where the build process must be modified conditionally
+# depending on whether the host is PaX enabled or not.  It is not intedened to
+# determine whether the final binaries need PaX markings.  Note: if procfs is
+# not mounted on /proc, this returns shell false (e.g. Gentoo/FBSD).
+host-is-pax() {
+	grep -qs ^PaX: /proc/self/status
+}
+
+
+# INTERNAL FUNCTIONS
+# ------------------
+#
+# These functions are for use internally by the eclass - do not use
+# them elsewhere as they are not supported (i.e. they may be removed
+# or their function may change arbitratily).
+
+# Display a list of things, one per line, indented a bit, using the
+# display command in $1.
+_pax_list_files() {
+	local f cmd
+	cmd=$1
+	shift
+	for f in "$@"; do
+		${cmd} "     ${f}"
+	done
+}
+

[gentoo-commits] proj/hardened-dev:XT_PAX commit in: /, eclass/

[Anthony G. Basile]

commit:     f4d0da5dcaf12e4b9a70c1d2528becf649b1de61
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 29 00:21:12 2011 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Nov 29 00:21:12 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=f4d0da5d

eclass/pax-utils.eclass: RDEPEND on =sys-apps/elfix-0.3.2

---
 HOWTO.txt               |    2 +-
 eclass/pax-utils.eclass |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/HOWTO.txt b/HOWTO.txt
index b88816e..9edc600 100644
--- a/HOWTO.txt
+++ b/HOWTO.txt
@@ -64,7 +64,7 @@ what our hacked up grub does in the next step.
 	emerge =sys-devel/binutils-2.21.1-r2 \		# these are unmasked, so emerge
 		=sys-kernel/xtpax-sources-3.1.1 \
 		=sys-apps/elfix-0.3.2 \
-		=sys-boot/grub-0.97-r11 \
+		=sys-boot/grub-0.97-r11
 
 	source /etc/profile				# for binutils, if we keep using
 							# the same shell

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 2ddbf9f..216b89a 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -34,6 +34,8 @@
 
 inherit eutils
 
+RDEPEND="=sys-apps/elfix-0.3.2"
+
 # Default to XT markings.
 PAX_MARKINGS=${PAX_MARKINGS:="XT"}