[gentoo-dev] Proposed update to pax-utils.eclass

[gentoo-dev] Proposed update to pax-utils.eclass

[Anthony G. Basile]

Hi everyone,

The hardened team has been working on getting PaX markings moved to 
Extended Attributes rather then putting them in a program header of the 
ELF binaries [1].  The motivation here is that this is a generally safer 
way of doing PaX markings since mangling an ELF binary can break things [2].

The last step in the process is getting an eclass on the tree which does 
both xattr as well as elf phdr based PaX markings.  We've been testing 
one for a while and we think we've clobbered all the bugs. The eclass 
deviates significantly from the one on the tree, so a I'm not sure a 
diff is the best way to present it.  The current version is on the 
hardened-dev overay [3].  It also makes use of a new utility called 
paxctl-ng which does what paxctl did but also with xattr [4].

You may want to look at some documentation too.  A updated discussion of 
PaX which includes xattr stuff is at [5].  A migration guide is at [6].

Please review.  We are in no rush to get this done, so if you find bugs 
or have concerns, add blockers to the tracker [1].


Ref.

[1] https://bugs.gentoo.org/show_bug.cgi?id=427888

[2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668

[3] 
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f

[4] This is part of the sys-apps/elfix package.  The repo is at 
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary

[5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

[6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] Proposed update to pax-utils.eclass

[Anthony G. Basile]

On 03/17/2013 08:19 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> The hardened team has been working on getting PaX markings moved to 
> Extended Attributes rather then putting them in a program header of 
> the ELF binaries [1].  The motivation here is that this is a generally 
> safer way of doing PaX markings since mangling an ELF binary can break 
> things [2].
>
> The last step in the process is getting an eclass on the tree which 
> does both xattr as well as elf phdr based PaX markings. We've been 
> testing one for a while and we think we've clobbered all the bugs. The 
> eclass deviates significantly from the one on the tree, so a I'm not 
> sure a diff is the best way to present it. The current version is on 
> the hardened-dev overay [3].  It also makes use of a new utility 
> called paxctl-ng which does what paxctl did but also with xattr [4].
>
> You may want to look at some documentation too.  A updated discussion 
> of PaX which includes xattr stuff is at [5].  A migration guide is at 
> [6].
>
> Please review.  We are in no rush to get this done, so if you find 
> bugs or have concerns, add blockers to the tracker [1].
>
>
> Ref.
>
> [1] https://bugs.gentoo.org/show_bug.cgi?id=427888
>
> [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668
>
> [3] 
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f
>
> [4] This is part of the sys-apps/elfix package.  The repo is at 
> http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
>
> [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
>
> [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml
>
>

Last call, does anyone have a problem with me updating the 
pax-utils.eclass?  See Ref [3] above for the code.  I'll wait a couple 
more days and then do it.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] Proposed update to pax-utils.eclass

[Gilles Dartiguelongue]

Le dimanche 24 mars 2013 à 20:20 -0400, Anthony G. Basile a écrit :
> Last call, does anyone have a problem with me updating the 
> pax-utils.eclass?  See Ref [3] above for the code.  I'll wait a couple 
> more days and then do it.

looks like last conditional branch for XT marking in pax-mark function
is not using the proper variables (pt_* instead ot xt_*).

The PAX_MARKINGS variable is not documented with eclass documentation
markup, it should at least get an "@INTERNAL" if this is not supposed to
be modified by eclass users.

_pax_list_files can receive documentation this way as well.

You should probably try to avoid mixing [[ ]] and [ ] in the eclass. [ ]
seems to be less used here so just have everything [[ ]] and drop the
useless quoting that came with [ ].

The rest looks fine.

-- 
Gilles Dartiguelongue <eva@gentoo.org>
Gentoo

Re: [gentoo-dev] Proposed update to pax-utils.eclass

[Alec Warner]

On Wed, Mar 27, 2013 at 5:39 AM, Gilles Dartiguelongue <eva@gentoo.org> wrote:
> Le dimanche 24 mars 2013 à 20:20 -0400, Anthony G. Basile a écrit :
>> Last call, does anyone have a problem with me updating the
>> pax-utils.eclass?  See Ref [3] above for the code.  I'll wait a couple
>> more days and then do it.
>
> looks like last conditional branch for XT marking in pax-mark function
> is not using the proper variables (pt_* instead ot xt_*).
>
> The PAX_MARKINGS variable is not documented with eclass documentation
> markup, it should at least get an "@INTERNAL" if this is not supposed to
> be modified by eclass users.
>
> _pax_list_files can receive documentation this way as well.
>
> You should probably try to avoid mixing [[ ]] and [ ] in the eclass. [ ]
> seems to be less used here so just have everything [[ ]] and drop the
> useless quoting that came with [ ].

You should never use [ in the tree.

-A

>
> The rest looks fine.
>
> --
> Gilles Dartiguelongue <eva@gentoo.org>
> Gentoo
>
>