* [gentoo-dev] Review for patch to pax-utils.eclass
@ 2016-08-27 0:22 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2016-08-27 0:22 UTC (permalink / raw)
To: Gentoo Development
[-- Attachment #1: Type: text/plain, Size: 312 bytes --]
I'd like to commit the following change to the pax-utils.eclass to
address bug #590422. I'm submitting it to the list for review.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
[-- Attachment #2: pax-utils-safe-paxctl.patch --]
[-- Type: text/plain, Size: 2307 bytes --]
commit 6dcad31d0a6558eb70f5c46689fe4d4246d80bb1
Author: Anthony G. Basile <blueness@gentoo.org>
Date: Fri Aug 26 20:02:44 2016 -0400
pax-utils.eclass: do not attempt to create/convert a PT_PAX_FLAGS program header
Support for the creation of PT_PAX_FLAGS program headers in ELF objects is being
dropped in >=sys-devel/binutils-2.26.1. Running paxctl -C or -c either to create
a PT_PAX_FLAGS header or to convert a PT_GNU_STACK header on such ELF objects
results in broken executables. For backwards compatibility we continue to support
PT_PAX_FLAGS markings with paxctl but remove these unsafe methods from the eclass.
Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=590422
diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 9ed1170..386a7f6 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@@ -6,8 +6,8 @@
# @MAINTAINER:
# The Gentoo Linux Hardened Team <hardened@gentoo.org>
# @AUTHOR:
-# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
-# Modifications for bugs #365825, #431092, #520198, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org>
+# Author: Kevin F. Quinn <kevquinn@gentoo.org>
+# Author: Anthony G. Basile <blueness@gentoo.org>
# @BLURB: functions to provide PaX markings for hardened kernels
# @DESCRIPTION:
#
@@ -82,11 +82,9 @@ pax-mark() {
einfo "PT_PAX marking -${flags} ${f} with paxctl"
# First, try modifying the existing PAX_FLAGS header.
paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue
- # Second, try creating a PT_PAX header (works on ET_EXEC).
- # Even though this is less safe, most exes need it. #463170
- paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
- # Third, try stealing the (unused under PaX) PT_GNU_STACK header
- paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
+ # We no longer try to create or convert a PT_PAX header, bug #590422
+ # paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
+ # paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
fi
# Next try paxctl-ng -> this will not create/convert any program headers.
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-27 0:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-27 0:22 [gentoo-dev] Review for patch to pax-utils.eclass Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox