* [gentoo-commits] proj/elfix:master commit in: src/, /, poc/
@ 2011-05-05 23:50 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2011-05-05 23:50 UTC (permalink / raw
To: gentoo-commits
commit: 646f75362042124158b075efb3c7eb8cd779539f
Author: Anthony G. Basile <basile <AT> opensource <DOT> dyc <DOT> edu>
AuthorDate: Thu May 5 23:50:15 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu May 5 23:50:15 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=646f7536
poc/mangle-paxflags.c and src/fix-gnustack.c: added help option
---
autogen.sh | 1 +
configure.ac | 4 ++--
poc/mangle-paxflags.c | 29 ++++++++++++++++++++++++++---
src/fix-gnustack.c | 26 ++++++++++++++++++++++++--
4 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/autogen.sh b/autogen.sh
index 66ed103..3888ff3 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,5 +1,6 @@
#!/bin/sh
aclocal && \
+autoheader && \
autoconf && \
automake --add-missing --copy
diff --git a/configure.ac b/configure.ac
index 039a269..560cc82 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,9 +2,9 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.65])
-AC_INIT([elfix], [0.1], [blueness@gentoo.org])
+AC_INIT([elfix], [0.1.3], [http://bugs.gentoo.org/])
AC_CONFIG_SRCDIR([src/fix-gnustack.c])
-#AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([1.11 foreign])
AC_ARG_ENABLE(
diff --git a/poc/mangle-paxflags.c b/poc/mangle-paxflags.c
index 8853b13..301dad7 100644
--- a/poc/mangle-paxflags.c
+++ b/poc/mangle-paxflags.c
@@ -28,6 +28,8 @@
#include <fcntl.h>
#include <unistd.h>
+#include <config.h>
+
// From chpax.h
#define EI_PAX 14 // Index in e_ident[] where to read flags
#define HF_PAX_PAGEEXEC 1 // 0: Paging based non-exec pages
@@ -37,22 +39,40 @@
#define HF_PAX_RANDEXEC 16 // 1: Randomize ET_EXEC base
#define HF_PAX_SEGMEXEC 32 // 0: Segmentation based non-exec pages
-
#define PRINT(E,F,I) printf("%s:\t%s\n", #E, E & F ? ( I ? "enabled" : "disabled" ) : ( I ? "disabled" : "enabled" ) );
#define CASE(N,P) case P: printf("%d: %s\n", (int)N, #P); break
+void
+print_help(char *v)
+{
+ printf(
+ "Package Name : " PACKAGE_STRING "\n"
+ "Bug Reports : " PACKAGE_BUGREPORT "\n"
+ "Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
+ "Usage : %s {-h | [-e] [-p] ELFfile}\n"
+ "options : Print out EI_PAX and PT_PAX_FLAGS information\n"
+ " : -e Set all EI_PAX flags to least secure setting, pEmrXs\n"
+ " : -p Remove PT_PAX_FLAGS program header\n"
+ " : -h Print out this help\n",
+ v
+ );
+
+ exit(EXIT_SUCCESS);
+}
+
+
char *
parse_cmd_args( int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags )
{
int i, oc;
if((c != 2)&&(c != 3)&&(c != 4))
- error(EXIT_FAILURE, 0, "Usage: %s [-e] [-p] elffile", v[0]);
+ error(EXIT_FAILURE, 0, "Usage: %s {[-e] [-p] ELFfile | [-h]}", v[0]);
*flag_ei_pax = 0;
*flag_pt_pax_flags = 0;
- while((oc = getopt(c, v,":ep")) != -1)
+ while((oc = getopt(c, v,":eph")) != -1)
switch(oc)
{
case 'e':
@@ -61,6 +81,9 @@ parse_cmd_args( int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags )
case 'p':
*flag_pt_pax_flags = 1;
break;
+ case 'h':
+ print_help(v[0]);
+ break;
case '?':
default:
error(EXIT_FAILURE, 0, "option -%c is invalid: ignored.", optopt ) ;
diff --git a/src/fix-gnustack.c b/src/fix-gnustack.c
index 75d72ea..02eb4d5 100644
--- a/src/fix-gnustack.c
+++ b/src/fix-gnustack.c
@@ -28,6 +28,25 @@
#include <fcntl.h>
#include <unistd.h>
+#include <config.h>
+
+
+void
+print_help(char *v)
+{
+ printf(
+ "Package Name : " PACKAGE_STRING "\n"
+ "Bug Reports : " PACKAGE_BUGREPORT "\n"
+ "Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
+ "Usage : %s {[-f] ELFfile | [-h]}\n"
+ "options : Print out protection flags on PT_GNU_STACK\n"
+ " : -f Remove X if WX flags are set on PT_GNU_STACK\n"
+ " : -h Print out this help\n",
+ v
+ );
+
+ exit(EXIT_SUCCESS);
+}
char *
@@ -36,15 +55,18 @@ parse_cmd_args( int c, char *v[], int *flagv )
int i, oc;
if((c != 2)&&(c != 3))
- error(EXIT_FAILURE, 0, "Usage: %s [-f] elffile", v[0]);
+ error(EXIT_FAILURE, 0, "Usage: %s {-h | [-f] ELFfile}", v[0]);
*flagv = 0 ;
- while((oc = getopt(c, v,":f")) != -1)
+ while((oc = getopt(c, v,":fh")) != -1)
switch(oc)
{
case 'f':
*flagv = 1 ;
break ;
+ case 'h':
+ print_help(v[0]);
+ break;
case '?':
default:
error(EXIT_FAILURE, 0, "option -%c is invalid: ignored.", optopt ) ;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, /, poc/
@ 2011-05-06 2:43 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2011-05-06 2:43 UTC (permalink / raw
To: gentoo-commits
commit: 28309dafebd27f7afbaee68d97b77fed68b04e99
Author: Anthony G. Basile <basile <AT> opensource <DOT> dyc <DOT> edu>
AuthorDate: Fri May 6 02:43:01 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri May 6 02:43:01 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=28309daf
src/paxctl-ng.c: added help and create PT_PAX_FLAGS
---
configure.ac | 2 +-
poc/mangle-paxflags.c | 6 +-
src/Makefile.am | 4 +-
src/fix-gnustack.c | 2 +-
poc/mangle-paxflags.c => src/paxctl-ng.c | 181 +++++++++++++++++++++++------
5 files changed, 151 insertions(+), 44 deletions(-)
diff --git a/configure.ac b/configure.ac
index 560cc82..15ffc03 100644
--- a/configure.ac
+++ b/configure.ac
@@ -11,7 +11,7 @@ AC_ARG_ENABLE(
[tests],
AS_HELP_STRING(
[--enable-tests],
- [enable tests]
+ [perform tests]
),
[
AS_IF(
diff --git a/poc/mangle-paxflags.c b/poc/mangle-paxflags.c
index 301dad7..8e2607c 100644
--- a/poc/mangle-paxflags.c
+++ b/poc/mangle-paxflags.c
@@ -50,7 +50,7 @@ print_help(char *v)
"Package Name : " PACKAGE_STRING "\n"
"Bug Reports : " PACKAGE_BUGREPORT "\n"
"Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
- "Usage : %s {-h | [-e] [-p] ELFfile}\n"
+ "Usage : %s {[-e] [-p] ELFfile | -h}\n"
"options : Print out EI_PAX and PT_PAX_FLAGS information\n"
" : -e Set all EI_PAX flags to least secure setting, pEmrXs\n"
" : -p Remove PT_PAX_FLAGS program header\n"
@@ -105,7 +105,7 @@ main( int argc, char *argv[])
GElf_Ehdr ehdr;
GElf_Phdr phdr;
- f_name = parse_cmd_args( argc, argv, &flag_ei_pax, &flag_pt_pax_flags );
+ f_name = parse_cmd_args(argc, argv, &flag_ei_pax, &flag_pt_pax_flags);
if(elf_version(EV_CURRENT) == EV_NONE)
error(EXIT_FAILURE, 0, "Library out of date.");
@@ -129,7 +129,7 @@ main( int argc, char *argv[])
error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
if(gelf_getehdr(elf,&ehdr) != &ehdr)
- error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ error(EXIT_FAILURE, 0, "gelf_getehdr(): %s", elf_errmsg(elf_errno()));
found_ei_pax = ((u_long) ehdr.e_ident[EI_PAX + 1] << 8) + (u_long) ehdr.e_ident[EI_PAX];
diff --git a/src/Makefile.am b/src/Makefile.am
index e63a5f2..8e4709c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,3 +1,5 @@
-bin_PROGRAMS = fix-gnustack
+bin_PROGRAMS = fix-gnustack paxctl-ng
fix_gnustack_SOURCES = fix-gnustack.c
fix_gnustack_LDADD = -lelf
+paxctl_ng_SOURCES = paxctl-ng.c
+paxctl_ng_LDADD = -lelf
diff --git a/src/fix-gnustack.c b/src/fix-gnustack.c
index 02eb4d5..2afd7da 100644
--- a/src/fix-gnustack.c
+++ b/src/fix-gnustack.c
@@ -87,7 +87,7 @@ main( int argc, char *argv[])
Elf *elf;
GElf_Phdr phdr;
- f_name = parse_cmd_args( argc, argv, &flagv );
+ f_name = parse_cmd_args(argc, argv, &flagv);
if(elf_version(EV_CURRENT) == EV_NONE)
error(EXIT_FAILURE, 0, "Library out of date.");
diff --git a/poc/mangle-paxflags.c b/src/paxctl-ng.c
similarity index 56%
copy from poc/mangle-paxflags.c
copy to src/paxctl-ng.c
index 301dad7..9f1b86a 100644
--- a/poc/mangle-paxflags.c
+++ b/src/paxctl-ng.c
@@ -1,5 +1,5 @@
/*
- mangle-paxflags.c: check and optionally remove EI_PAX and/or PT_PAX_FLAGS
+ paxctl-ng.c: get/set pax flags on an ELF object
Copyright (C) 2011 Anthony G. Basile
This program is free software: you can redistribute it and/or modify
@@ -30,14 +30,7 @@
#include <config.h>
-// From chpax.h
-#define EI_PAX 14 // Index in e_ident[] where to read flags
-#define HF_PAX_PAGEEXEC 1 // 0: Paging based non-exec pages
-#define HF_PAX_EMUTRAMP 2 // 0: Emulate trampolines
-#define HF_PAX_MPROTECT 4 // 0: Restrict mprotect()
-#define HF_PAX_RANDMMAP 8 // 0: Randomize mmap() base
-#define HF_PAX_RANDEXEC 16 // 1: Randomize ET_EXEC base
-#define HF_PAX_SEGMEXEC 32 // 0: Segmentation based non-exec pages
+#define EI_PAX 14 // Index in e_ident[] where to read flags - from chpax.h
#define PRINT(E,F,I) printf("%s:\t%s\n", #E, E & F ? ( I ? "enabled" : "disabled" ) : ( I ? "disabled" : "enabled" ) );
#define CASE(N,P) case P: printf("%d: %s\n", (int)N, #P); break
@@ -49,11 +42,17 @@ print_help(char *v)
printf(
"Package Name : " PACKAGE_STRING "\n"
"Bug Reports : " PACKAGE_BUGREPORT "\n"
- "Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
- "Usage : %s {-h | [-e] [-p] ELFfile}\n"
- "options : Print out EI_PAX and PT_PAX_FLAGS information\n"
- " : -e Set all EI_PAX flags to least secure setting, pEmrXs\n"
- " : -p Remove PT_PAX_FLAGS program header\n"
+ "Description : Get or set pax flags on an ELF object\n\n"
+ "Usage : %s {[-pPeEmMrRxXsSzZC] ELFfile | [-h]}\n"
+ "options : Print out pax flag information\n"
+ " : -p Disable PAGEEXEC\t-P Enable PAGEEXEC\n"
+ " : -e Disable EMUTRAMP\t-E Enable EMUTRAMP\n"
+ " : -m Disable MPROTECT\t-M Enable MPROTECT\n"
+ " : -r Disable RANDMMAP\t-R Enable RANDMMAP\n"
+ " : -x Disable RANDEXEC\t-X Enable RANDEXEC\n"
+ " : -s Disable SEGMEXEC\t-X Enable SEGMEXEC\n"
+ " : -z Default least secure\t-Z Default most secure\n"
+ " : -C Created PT_PAX_FLAGS program header\n"
" : -h Print out this help\n",
v
);
@@ -63,23 +62,48 @@ print_help(char *v)
char *
-parse_cmd_args( int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags )
+parse_cmd_args( int c, char *v[], int *pax_flags, int *create_flag )
{
int i, oc;
if((c != 2)&&(c != 3)&&(c != 4))
- error(EXIT_FAILURE, 0, "Usage: %s {[-e] [-p] ELFfile | [-h]}", v[0]);
+ error(EXIT_FAILURE, 0, "Usage: %s {[-pPeEmMrRxXsSzZC] ELFfile | [-h]}", v[0]);
- *flag_ei_pax = 0;
- *flag_pt_pax_flags = 0;
- while((oc = getopt(c, v,":eph")) != -1)
+ *pax_flags = 0;
+ *create_flag = 0;
+ while((oc = getopt(c, v,":pPeEmMrRxXsSzZCh")) != -1)
switch(oc)
{
+ case 'p':
+ break ;
+ case 'P':
+ break;
case 'e':
- *flag_ei_pax = 1;
break ;
- case 'p':
- *flag_pt_pax_flags = 1;
+ case 'E':
+ break;
+ case 'm':
+ break ;
+ case 'M':
+ break;
+ case 'r':
+ break ;
+ case 'R':
+ break;
+ case 'x':
+ break ;
+ case 'X':
+ break;
+ case 's':
+ break ;
+ case 'S':
+ break;
+ case 'z':
+ break ;
+ case 'Z':
+ break;
+ case 'C':
+ *create_flag = 1;
break;
case 'h':
print_help(v[0]);
@@ -94,23 +118,83 @@ parse_cmd_args( int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags )
int
+no_pt_pax_flags(Elf *e)
+{
+ size_t i, phnum;
+ GElf_Phdr phdr;
+
+ elf_getphdrnum(e, &phnum);
+ for(i=0; i<phnum; ++i)
+ {
+ if(gelf_getphdr(e, i, &phdr) != &phdr)
+ error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ if(phdr.p_type == PT_PAX_FLAGS)
+ return 0;
+ }
+ return 1;
+}
+
+
+int
+create_pt_pax_flags(Elf *e)
+{
+ size_t i, phnum;
+ GElf_Phdr phdr;
+
+ elf_getphdrnum(e, &phnum);
+ for(i=0; i<phnum; ++i)
+ {
+ if(gelf_getphdr(e, i, &phdr) != &phdr)
+ error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
+ if(phdr.p_type == PT_NULL)
+ {
+ phdr.p_type = PT_PAX_FLAGS;
+ phdr.p_flags = PF_NOEMUTRAMP|PF_NORANDEXEC;
+ if(!gelf_update_phdr(e, i, &phdr))
+ error(EXIT_FAILURE, 0, "gelf_update_phdr(): %s", elf_errmsg(elf_errno()));
+ return 1;
+ }
+ }
+
+
+ /*
+ if( !(phdr = gelf_newphdr(Elf *e, size_t phnum)) )
+ {
+ phdr.p_type = PT_PAX_FLAGS;
+ //phdr.p_offset
+ //phdr.p_vaddr
+ //phdr.p_paddr
+ //phdr.p_filesz
+ //phdr.p_memsz
+ phdr.p_flags = PF_NOEMUTRAMP|PF_NORANDEXEC;
+ //phdr.p_align
+
+ if(!gelf_update_phdr(e, i, &phdr))
+ error(EXIT_FAILURE, 0, "gelf_update_phdr(): %s", elf_errmsg(elf_errno()));
+ return 1;
+ }
+ error(EXIT_FAILURE, 0, "gelf_newphdr(): %s", elf_errmsg(elf_errno()));
+ */
+
+}
+
+
+int
main( int argc, char *argv[])
{
int fd;
- int flag_ei_pax, flag_pt_pax_flags, found_ei_pax;
+ int pax_flags, create_flag;
char *f_name;
- size_t i, phnum;
Elf *elf;
GElf_Ehdr ehdr;
- GElf_Phdr phdr;
- f_name = parse_cmd_args( argc, argv, &flag_ei_pax, &flag_pt_pax_flags );
+ f_name = parse_cmd_args(argc, argv, &pax_flags, &create_flag);
if(elf_version(EV_CURRENT) == EV_NONE)
error(EXIT_FAILURE, 0, "Library out of date.");
- if( flag_ei_pax || flag_pt_pax_flags )
+ if(create_flag)
{
if((fd = open(f_name, O_RDWR)) < 0)
error(EXIT_FAILURE, 0, "open() fail.");
@@ -128,11 +212,39 @@ main( int argc, char *argv[])
if(elf_kind(elf) != ELF_K_ELF)
error(EXIT_FAILURE, 0, "elf_kind() fail: this is not an elf file.");
- if(gelf_getehdr(elf,&ehdr) != &ehdr)
- error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
- found_ei_pax = ((u_long) ehdr.e_ident[EI_PAX + 1] << 8) + (u_long) ehdr.e_ident[EI_PAX];
+
+
+ if(create_flag)
+ {
+ //To be safe, let's make sure EI_PAX flags are zero-ed for most secure legacy
+ if(gelf_getehdr(elf, &ehdr) != &ehdr)
+ error(EXIT_FAILURE, 0, "gelf_getehdr(): %s", elf_errmsg(elf_errno()));
+
+ ehdr.e_ident[EI_PAX] = 0;
+ ehdr.e_ident[EI_PAX + 1] = 0;
+
+ if(!gelf_update_ehdr(elf, &ehdr))
+ error(EXIT_FAILURE, 0, "gelf_update_ehdr(): %s", elf_errmsg(elf_errno()));
+
+ if(no_pt_pax_flags(elf))
+ {
+ printf("PT_PAX_FLAGS phdr not found: creating one\n");
+ if(create_pt_pax_flags(elf))
+ {
+ printf("PT_PAX_FLAGS phdr create: succeeded\n");
+ }
+ else
+ error(EXIT_FAILURE, 0, "PT_PAX_FLAGS phdr create: failed");
+ }
+ else
+ error(EXIT_FAILURE, 0, "PT_PAX_FLAGS phdr found: nothing to do");
+ }
+
+
+
+ /*
printf("==== EI_PAX ====\n") ;
PRINT(HF_PAX_PAGEEXEC, found_ei_pax, 0);
PRINT(HF_PAX_EMUTRAMP, found_ei_pax, 1);
@@ -142,14 +254,6 @@ main( int argc, char *argv[])
PRINT(HF_PAX_SEGMEXEC, found_ei_pax, 0);
printf("\n");
- if( flag_ei_pax )
- {
- printf("Disabling EI_PAX\n\n");
- ehdr.e_ident[EI_PAX] = 0xFF;
- ehdr.e_ident[EI_PAX + 1] = 0xFF;
- if(!gelf_update_ehdr(elf, &ehdr))
- error(EXIT_FAILURE, 0, "gelf_update_ehdr(): %s", elf_errmsg(elf_errno()));
- }
printf("==== PHRDs ====\n") ;
elf_getphdrnum(elf, &phnum);
@@ -208,6 +312,7 @@ main( int argc, char *argv[])
}
}
printf("\n\n");
+ */
elf_end(elf);
close(fd);
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/elfix:master commit in: src/, /, poc/
@ 2011-05-07 2:21 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2011-05-07 2:21 UTC (permalink / raw
To: gentoo-commits
commit: e6797b5c11034d79c4e59f659736bfe288104c66
Author: Anthony G. Basile <basile <AT> opensource <DOT> dyc <DOT> edu>
AuthorDate: Sat May 7 02:21:00 2011 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat May 7 02:21:00 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=e6797b5c
poc/mangle-paxflags.c: added quiet mode and fixed whitespaces
---
configure.ac | 1 +
poc/mangle-paxflags.c | 210 +++++++++++++++++++++++++++----------------------
src/fix-gnustack.c | 4 +-
src/paxctl-ng.c | 23 +++---
4 files changed, 132 insertions(+), 106 deletions(-)
diff --git a/configure.ac b/configure.ac
index 15ffc03..e082850 100644
--- a/configure.ac
+++ b/configure.ac
@@ -47,6 +47,7 @@ AC_CHECK_HEADERS([errno.h])
AC_CHECK_HEADERS([error.h])
AC_CHECK_HEADERS([fcntl.h])
AC_CHECK_HEADERS([gelf.h])
+AC_CHECK_HEADERS([libgen.h])
AC_CHECK_HEADERS([stdio.h])
AC_CHECK_HEADERS([stdlib.h])
AC_CHECK_HEADERS([string.h])
diff --git a/poc/mangle-paxflags.c b/poc/mangle-paxflags.c
index 530411c..402fb67 100644
--- a/poc/mangle-paxflags.c
+++ b/poc/mangle-paxflags.c
@@ -20,6 +20,7 @@
#include <stdlib.h>
#include <string.h>
#include <error.h>
+#include <libgen.h>
#include <gelf.h>
@@ -28,16 +29,17 @@
#include <fcntl.h>
#include <unistd.h>
+
#include <config.h>
// From chpax.h
#define EI_PAX 14 // Index in e_ident[] where to read flags
-#define HF_PAX_PAGEEXEC 1 // 0: Paging based non-exec pages
-#define HF_PAX_EMUTRAMP 2 // 0: Emulate trampolines
-#define HF_PAX_MPROTECT 4 // 0: Restrict mprotect()
-#define HF_PAX_RANDMMAP 8 // 0: Randomize mmap() base
-#define HF_PAX_RANDEXEC 16 // 1: Randomize ET_EXEC base
-#define HF_PAX_SEGMEXEC 32 // 0: Segmentation based non-exec pages
+#define HF_PAX_PAGEEXEC 1 // 0: Paging based non-exec pages
+#define HF_PAX_EMUTRAMP 2 // 0: Emulate trampolines
+#define HF_PAX_MPROTECT 4 // 0: Restrict mprotect()
+#define HF_PAX_RANDMMAP 8 // 0: Randomize mmap() base
+#define HF_PAX_RANDEXEC 16 // 1: Randomize ET_EXEC base
+#define HF_PAX_SEGMEXEC 32 // 0: Segmentation based non-exec pages
#define PRINT(E,F,I) printf("%s:\t%s\n", #E, E&F? (I? "enabled" : "disabled") : (I? "disabled" : "enabled"));
#define SPRINT(E,F,A,B) printf("%c", E&F? A : B);
@@ -48,36 +50,40 @@
void
print_help(char *v)
{
- printf(
- "Package Name : " PACKAGE_STRING "\n"
- "Bug Reports : " PACKAGE_BUGREPORT "\n"
- "Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
- "Usage : %s {[-e] [-p] ELFfile | -h}\n"
- "options : Print out EI_PAX and PT_PAX_FLAGS information\n"
- " : -e Set all EI_PAX flags to least secure setting, pEmrXs\n"
- " : -p Remove PT_PAX_FLAGS program header\n"
+ printf(
+ "Package Name : " PACKAGE_STRING "\n"
+ "Bug Reports : " PACKAGE_BUGREPORT "\n"
+ "Program Name : %s\n"
+ "Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
+ "Usage : %s {[-e] [-p] [-v] [-q] ELFfile | [-h]}\n"
+ "options : Print out EI_PAX and PT_PAX_FLAGS information\n"
+ " : -e Set all EI_PAX flags to least secure setting, pEmrXs\n"
+ " : -p Remove PT_PAX_FLAGS program header\n"
" : -v Verbose expanation of flags (rather than short list)\n"
- " : -h Print out this help\n",
- v
- );
+ " : -q Surpress all output to stdout (negates verbose)\n"
+ " : -h Print out this help\n",
+ basename(v),
+ basename(v)
+ );
- exit(EXIT_SUCCESS);
+ exit(EXIT_SUCCESS);
}
char *
-parse_cmd_args(int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags, int *verbose)
+parse_cmd_args(int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags, int *verbose, int *quiet)
{
int i, oc;
if((c != 2)&&(c != 3)&&(c != 4))
- error(EXIT_FAILURE, 0, "Usage: %s {[-e] [-p] [-v] ELFfile | [-h]}", v[0]);
+ error(EXIT_FAILURE, 0, "Usage: %s {[-e] [-p] [-v] [-q] ELFfile | [-h]}", v[0]);
*flag_ei_pax = 0;
*flag_pt_pax_flags = 0;
*verbose = 0;
+ *quiet = 0;
- while((oc = getopt(c, v,":epvh")) != -1)
+ while((oc = getopt(c, v,":epvqh")) != -1)
switch(oc)
{
case 'e':
@@ -89,6 +95,9 @@ parse_cmd_args(int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags, int *
case 'v':
*verbose = 1;
break;
+ case 'q':
+ *quiet = 1;
+ break;
case 'h':
print_help(v[0]);
break;
@@ -104,7 +113,8 @@ parse_cmd_args(int c, char *v[], int *flag_ei_pax, int *flag_pt_pax_flags, int *
int
main( int argc, char *argv[])
{
- int fd, flag_ei_pax, flag_pt_pax_flags, verbose, found_ei_pax;
+ int fd, found_ei_pax;
+ int flag_ei_pax, flag_pt_pax_flags, verbose, quiet;
char *f_name;
size_t i, phnum;
@@ -112,7 +122,7 @@ main( int argc, char *argv[])
GElf_Ehdr ehdr;
GElf_Phdr phdr;
- f_name = parse_cmd_args(argc, argv, &flag_ei_pax, &flag_pt_pax_flags, &verbose);
+ f_name = parse_cmd_args(argc, argv, &flag_ei_pax, &flag_pt_pax_flags, &verbose, &quiet);
if(elf_version(EV_CURRENT) == EV_NONE)
error(EXIT_FAILURE, 0, "Library out of date.");
@@ -140,110 +150,120 @@ main( int argc, char *argv[])
found_ei_pax = ((u_long) ehdr.e_ident[EI_PAX + 1] << 8) + (u_long) ehdr.e_ident[EI_PAX];
- printf("==== EI_PAX ====\n") ;
- if(verbose)
- {
- PRINT(HF_PAX_PAGEEXEC, found_ei_pax, 0);
- PRINT(HF_PAX_EMUTRAMP, found_ei_pax, 1);
- PRINT(HF_PAX_MPROTECT, found_ei_pax, 0);
- PRINT(HF_PAX_RANDMMAP, found_ei_pax, 0);
- PRINT(HF_PAX_RANDEXEC, found_ei_pax, 1);
- PRINT(HF_PAX_SEGMEXEC, found_ei_pax, 0);
- printf("\n");
- }
- else
+ if(!quiet)
{
- SPRINT(HF_PAX_PAGEEXEC, found_ei_pax, 'p', 'P');
- SPRINT(HF_PAX_EMUTRAMP, found_ei_pax, 'E', 'e');
- SPRINT(HF_PAX_MPROTECT, found_ei_pax, 'm', 'M');
- SPRINT(HF_PAX_RANDMMAP, found_ei_pax, 'r', 'R');
- SPRINT(HF_PAX_RANDEXEC, found_ei_pax, 'X', 'x');
- SPRINT(HF_PAX_SEGMEXEC, found_ei_pax, 's', 'S');
- printf("\n\n");
+ printf("==== EI_PAX ====\n") ;
+ if(verbose)
+ {
+ PRINT(HF_PAX_PAGEEXEC, found_ei_pax, 0);
+ PRINT(HF_PAX_EMUTRAMP, found_ei_pax, 1);
+ PRINT(HF_PAX_MPROTECT, found_ei_pax, 0);
+ PRINT(HF_PAX_RANDMMAP, found_ei_pax, 0);
+ PRINT(HF_PAX_RANDEXEC, found_ei_pax, 1);
+ PRINT(HF_PAX_SEGMEXEC, found_ei_pax, 0);
+ printf("\n");
+ }
+ else
+ {
+ SPRINT(HF_PAX_PAGEEXEC, found_ei_pax, 'p', 'P');
+ SPRINT(HF_PAX_EMUTRAMP, found_ei_pax, 'E', 'e');
+ SPRINT(HF_PAX_MPROTECT, found_ei_pax, 'm', 'M');
+ SPRINT(HF_PAX_RANDMMAP, found_ei_pax, 'r', 'R');
+ SPRINT(HF_PAX_RANDEXEC, found_ei_pax, 'X', 'x');
+ SPRINT(HF_PAX_SEGMEXEC, found_ei_pax, 's', 'S');
+ printf("\n\n");
+ }
}
if( flag_ei_pax )
{
- printf("Disabling EI_PAX\n\n");
+ if(!quiet)
+ printf("Disabling EI_PAX\n\n");
ehdr.e_ident[EI_PAX] = 0xFF;
ehdr.e_ident[EI_PAX + 1] = 0xFF;
if(!gelf_update_ehdr(elf, &ehdr))
error(EXIT_FAILURE, 0, "gelf_update_ehdr(): %s", elf_errmsg(elf_errno()));
}
- printf("==== PHRDs ====\n") ;
+ if(!quiet)
+ printf("==== PHRDs ====\n") ;
elf_getphdrnum(elf, &phnum);
for(i=0; i<phnum; ++i)
{
if(gelf_getphdr(elf, i, &phdr) != &phdr)
error(EXIT_FAILURE, 0, "gelf_getphdr(): %s", elf_errmsg(elf_errno()));
- if(verbose)
- {
- switch(phdr.p_type)
- {
- CPRINT(i,PT_NULL);
- CPRINT(i,PT_LOAD);
- CPRINT(i,PT_DYNAMIC);
- CPRINT(i,PT_INTERP);
- CPRINT(i,PT_NOTE);
- CPRINT(i,PT_SHLIB);
- CPRINT(i,PT_PHDR);
- CPRINT(i,PT_TLS);
- CPRINT(i,PT_NUM);
- CPRINT(i,PT_LOOS);
- CPRINT(i,PT_GNU_EH_FRAME);
- CPRINT(i,PT_GNU_STACK);
- CPRINT(i,PT_GNU_RELRO);
- CPRINT(i,PT_PAX_FLAGS);
- CPRINT(i,PT_LOSUNW);
- //CPRINT(i,PT_SUNWBSS);
- CPRINT(i,PT_SUNWSTACK);
- CPRINT(i,PT_HISUNW);
- //CPRINT(i,PT_HIOS);
- CPRINT(i,PT_LOPROC);
- CPRINT(i,PT_HIPROC);
- }
- }
-
- if(phdr.p_type == PT_PAX_FLAGS)
+ if(!quiet)
{
if(verbose)
{
- PRINT(PF_PAGEEXEC, phdr.p_flags, 1);
- PRINT(PF_NOPAGEEXEC, phdr.p_flags, 1);
- PRINT(PF_SEGMEXEC, phdr.p_flags, 1);
- PRINT(PF_NOSEGMEXEC, phdr.p_flags, 1);
- PRINT(PF_MPROTECT, phdr.p_flags, 1);
- PRINT(PF_NOMPROTECT, phdr.p_flags, 1);
- PRINT(PF_RANDEXEC, phdr.p_flags, 1);
- PRINT(PF_NORANDEXEC, phdr.p_flags, 1);
- PRINT(PF_EMUTRAMP, phdr.p_flags, 1);
- PRINT(PF_NOEMUTRAMP, phdr.p_flags, 1);
- PRINT(PF_RANDMMAP, phdr.p_flags, 1);
- PRINT(PF_NORANDMMAP, phdr.p_flags, 1);
+ switch(phdr.p_type)
+ {
+ CPRINT(i,PT_NULL);
+ CPRINT(i,PT_LOAD);
+ CPRINT(i,PT_DYNAMIC);
+ CPRINT(i,PT_INTERP);
+ CPRINT(i,PT_NOTE);
+ CPRINT(i,PT_SHLIB);
+ CPRINT(i,PT_PHDR);
+ CPRINT(i,PT_TLS);
+ CPRINT(i,PT_NUM);
+ CPRINT(i,PT_LOOS);
+ CPRINT(i,PT_GNU_EH_FRAME);
+ CPRINT(i,PT_GNU_STACK);
+ CPRINT(i,PT_GNU_RELRO);
+ CPRINT(i,PT_PAX_FLAGS);
+ CPRINT(i,PT_LOSUNW);
+ //CPRINT(i,PT_SUNWBSS);
+ CPRINT(i,PT_SUNWSTACK);
+ CPRINT(i,PT_HISUNW);
+ //CPRINT(i,PT_HIOS);
+ CPRINT(i,PT_LOPROC);
+ CPRINT(i,PT_HIPROC);
+ }
}
- else
+
+ if(phdr.p_type == PT_PAX_FLAGS)
{
- printf("%d: PT_PAX_FLAGS\n", (int)i);
- FPRINT(PF_PAGEEXEC, PF_NOPAGEEXEC, phdr.p_flags, 'p', 'P');
- FPRINT(PF_EMUTRAMP, PF_NOEMUTRAMP, phdr.p_flags, 'e', 'E');
- FPRINT(PF_MPROTECT, PF_NOMPROTECT, phdr.p_flags, 'm', 'M');
- FPRINT(PF_RANDMMAP, PF_NORANDMMAP, phdr.p_flags, 'r', 'R');
- FPRINT(PF_RANDEXEC, PF_NORANDEXEC, phdr.p_flags, 'x', 'X');
- FPRINT(PF_SEGMEXEC, PF_NOSEGMEXEC, phdr.p_flags, 's', 'S');
+ if(verbose)
+ {
+ PRINT(PF_PAGEEXEC, phdr.p_flags, 1);
+ PRINT(PF_NOPAGEEXEC, phdr.p_flags, 1);
+ PRINT(PF_SEGMEXEC, phdr.p_flags, 1);
+ PRINT(PF_NOSEGMEXEC, phdr.p_flags, 1);
+ PRINT(PF_MPROTECT, phdr.p_flags, 1);
+ PRINT(PF_NOMPROTECT, phdr.p_flags, 1);
+ PRINT(PF_RANDEXEC, phdr.p_flags, 1);
+ PRINT(PF_NORANDEXEC, phdr.p_flags, 1);
+ PRINT(PF_EMUTRAMP, phdr.p_flags, 1);
+ PRINT(PF_NOEMUTRAMP, phdr.p_flags, 1);
+ PRINT(PF_RANDMMAP, phdr.p_flags, 1);
+ PRINT(PF_NORANDMMAP, phdr.p_flags, 1);
+ }
+ else
+ {
+ printf("%d: PT_PAX_FLAGS\n", (int)i);
+ FPRINT(PF_PAGEEXEC, PF_NOPAGEEXEC, phdr.p_flags, 'p', 'P');
+ FPRINT(PF_EMUTRAMP, PF_NOEMUTRAMP, phdr.p_flags, 'e', 'E');
+ FPRINT(PF_MPROTECT, PF_NOMPROTECT, phdr.p_flags, 'm', 'M');
+ FPRINT(PF_RANDMMAP, PF_NORANDMMAP, phdr.p_flags, 'r', 'R');
+ FPRINT(PF_RANDEXEC, PF_NORANDEXEC, phdr.p_flags, 'x', 'X');
+ FPRINT(PF_SEGMEXEC, PF_NOSEGMEXEC, phdr.p_flags, 's', 'S');
+ }
}
}
if((phdr.p_type == PT_PAX_FLAGS) && flag_pt_pax_flags )
{
- printf("CONVERTED -> PT_NULL\n\n");
+ if(!quiet)
+ printf("CONVERTED -> PT_NULL\n\n");
phdr.p_type = PT_NULL;
if(!gelf_update_phdr(elf, i, &phdr))
error(EXIT_FAILURE, 0, "gelf_update_phdr(): %s", elf_errmsg(elf_errno()));
}
}
- printf("\n\n");
+ if(!quiet)
+ printf("\n\n");
elf_end(elf);
close(fd);
diff --git a/src/fix-gnustack.c b/src/fix-gnustack.c
index 2afd7da..3c12700 100644
--- a/src/fix-gnustack.c
+++ b/src/fix-gnustack.c
@@ -20,6 +20,7 @@
#include <stdlib.h>
#include <string.h>
#include <error.h>
+#include <libgen.h>
#include <gelf.h>
@@ -37,12 +38,13 @@ print_help(char *v)
printf(
"Package Name : " PACKAGE_STRING "\n"
"Bug Reports : " PACKAGE_BUGREPORT "\n"
+ "Program Name : %s\n"
"Description : Check for, or conditionally remove, executable flag from PT_GNU_STACK\n\n"
"Usage : %s {[-f] ELFfile | [-h]}\n"
"options : Print out protection flags on PT_GNU_STACK\n"
" : -f Remove X if WX flags are set on PT_GNU_STACK\n"
" : -h Print out this help\n",
- v
+ basename(v), basename(v)
);
exit(EXIT_SUCCESS);
diff --git a/src/paxctl-ng.c b/src/paxctl-ng.c
index 9f1b86a..0957e36 100644
--- a/src/paxctl-ng.c
+++ b/src/paxctl-ng.c
@@ -20,6 +20,7 @@
#include <stdlib.h>
#include <string.h>
#include <error.h>
+#include <libgen.h>
#include <gelf.h>
@@ -39,12 +40,13 @@
void
print_help(char *v)
{
- printf(
- "Package Name : " PACKAGE_STRING "\n"
- "Bug Reports : " PACKAGE_BUGREPORT "\n"
- "Description : Get or set pax flags on an ELF object\n\n"
- "Usage : %s {[-pPeEmMrRxXsSzZC] ELFfile | [-h]}\n"
- "options : Print out pax flag information\n"
+ printf(
+ "Package Name : " PACKAGE_STRING "\n"
+ "Bug Reports : " PACKAGE_BUGREPORT "\n"
+ "Program Name : %s\n"
+ "Description : Get or set pax flags on an ELF object\n\n"
+ "Usage : %s {[-pPeEmMrRxXsSzZC] ELFfile | [-h]}\n"
+ "options : Print out pax flag information\n"
" : -p Disable PAGEEXEC\t-P Enable PAGEEXEC\n"
" : -e Disable EMUTRAMP\t-E Enable EMUTRAMP\n"
" : -m Disable MPROTECT\t-M Enable MPROTECT\n"
@@ -53,11 +55,12 @@ print_help(char *v)
" : -s Disable SEGMEXEC\t-X Enable SEGMEXEC\n"
" : -z Default least secure\t-Z Default most secure\n"
" : -C Created PT_PAX_FLAGS program header\n"
- " : -h Print out this help\n",
- v
- );
+ " : -h Print out this help\n",
+ basename(v),
+ basename(v)
+ );
- exit(EXIT_SUCCESS);
+ exit(EXIT_SUCCESS);
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-05-07 2:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-07 2:21 [gentoo-commits] proj/elfix:master commit in: src/, /, poc/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2011-05-06 2:43 Anthony G. Basile
2011-05-05 23:50 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox