diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2014-08-30 14:06:04 +0000 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-08-30 14:06:04 +0000 |
| commit | a7fd911681dc6e95cdcf8324ddf80dd2fca8327b (patch) | |
| tree | 0554de323f4aa7d6278161db2d78bdda5c58ab89 /eclass | |
| parent | Version bump for 1.19.x, 1.22.x and 1.23.x (security bug #518608). Drop vulne... (diff) | |
| download | historical-a7fd911681dc6e95cdcf8324ddf80dd2fca8327b.tar.gz historical-a7fd911681dc6e95cdcf8324ddf80dd2fca8327b.tar.bz2 historical-a7fd911681dc6e95cdcf8324ddf80dd2fca8327b.zip | |
Update pax-utils.eclass according to bug #520198
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/ChangeLog | 5 | ||||
| -rw-r--r-- | eclass/pax-utils.eclass | 117 |
2 files changed, 49 insertions, 73 deletions
diff --git a/eclass/ChangeLog b/eclass/ChangeLog index 915ba61a418a..3dd6c83ef073 100644 --- a/eclass/ChangeLog +++ b/eclass/ChangeLog @@ -1,6 +1,9 @@ # ChangeLog for eclass directory # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/ChangeLog,v 1.1360 2014/08/29 23:38:05 pesa Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/ChangeLog,v 1.1361 2014/08/30 14:06:04 blueness Exp $ + + 30 Aug 2014; Anthony G. Basile <blueness@gentoo.org> pax-utils.eclass: + Update pax-utils.eclass according to bug #520198 30 Aug 2014; Davide Pesavento <pesa@gentoo.org> +qt5-build.eclass: Initial commit of qt5-build.eclass diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass index 719e15bdfe24..68d954e93750 100644 --- a/eclass/pax-utils.eclass +++ b/eclass/pax-utils.eclass @@ -1,14 +1,13 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.22 2014/07/11 08:21:58 ulm Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/pax-utils.eclass,v 1.23 2014/08/30 14:06:04 blueness Exp $ # @ECLASS: pax-utils.eclass # @MAINTAINER: # The Gentoo Linux Hardened Team <hardened@gentoo.org> # @AUTHOR: # Original Author: Kevin F. Quinn <kevquinn@gentoo.org> -# Modifications for bug #365825, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> -# Modifications for bug #431092: Anthony G. Basile <blueness@gentoo.org> +# Modifications for bugs #365825, #431092, #520198, @ ECLASS markup: Anthony G. Basile <blueness@gentoo.org> # @BLURB: functions to provide pax markings # @DESCRIPTION: # @@ -56,8 +55,6 @@ pax-mark() { local f # loop over paxables local flags # pax flags - local pt_fail=0 pt_failures="" # record PT_PAX failures - local xt_fail=0 xt_failures="" # record xattr PAX marking failures local ret=0 # overal return code of this function # Only the actual PaX flags and z are accepted @@ -75,12 +72,12 @@ pax-mark() { [[ "${flags//[!z]}" ]] && dodefault="yes" if has PT ${PAX_MARKINGS}; then + _pax_list_files einfo "$@" + for f in "$@"; do - #First try paxctl -> this might try to create/convert program headers - if type -p paxctl > /dev/null; then - einfo "PT PaX marking -${flags} with paxctl" - _pax_list_files einfo "$@" - for f in "$@"; do + #First try paxctl -> this might try to create/convert program headers + if type -p paxctl > /dev/null; then + einfo "PT PaX marking -${flags} ${f} with paxctl" # First, try modifying the existing PAX_FLAGS header paxctl -q${flags} "${f}" && continue # Second, try creating a PT_PAX header (works on ET_EXEC) @@ -88,81 +85,57 @@ pax-mark() { paxctl -qC${flags} "${f}" && continue # Third, try stealing the (unused under PaX) PT_GNU_STACK header paxctl -qc${flags} "${f}" && continue - pt_fail=1 - pt_failures="${pt_failures} ${f}" - done - - #Next try paxctl-ng -> this will not create/convert any program headers - elif type -p paxctl-ng > /dev/null && paxctl-ng -L ; then - einfo "PT PaX marking -${flags} with paxctl-ng" - flags="${flags//z}" - _pax_list_files einfo "$@" - for f in "$@"; do + fi + + #Next try paxctl-ng -> this will not create/convert any program headers + if type -p paxctl-ng > /dev/null && paxctl-ng -L ; then + einfo "PT PaX marking -${flags} ${f} with paxctl-ng" + flags="${flags//z}" [[ ${dodefault} == "yes" ]] && paxctl-ng -L -z "${f}" [[ "${flags}" ]] || continue paxctl-ng -L -${flags} "${f}" && continue - pt_fail=1 - pt_failures="${pt_failures} ${f}" - done - - #Finally fall back on scanelf - elif type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then - einfo "Fallback PaX marking -${flags} with scanelf" - _pax_list_files einfo "$@" - scanelf -Xxz ${flags} "$@" - - #We failed to set PT_PAX flags - elif [[ ${PAX_MARKINGS} != "none" ]]; then - pt_failures="$*" - pt_fail=1 - fi - - if [[ ${pt_fail} == 1 ]]; then - elog "Failed to set PT_PAX markings -${flags} for:" - _pax_list_files elog ${pt_failures} - ret=1 - fi + fi + + #Finally fall back on scanelf + if type -p scanelf > /dev/null && [[ ${PAX_MARKINGS} != "none" ]]; then + ewarn "Fallback PaX marking -${flags} with scanelf" + ewarn "Please check that PaX marking worked" + scanelf -Xxz ${flags} "$f" + #We failed to set PT_PAX flags + elif [[ ${PAX_MARKINGS} != "none" ]]; then + elog "Failed to set PT_PAX markings -${flags} ${f}." + ret=1 + fi + done fi if has XT ${PAX_MARKINGS}; then - + _pax_list_files einfo "$@" flags="${flags//z}" + for f in "$@"; do - #First try paxctl-ng - if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then - einfo "XT PaX marking -${flags} with paxctl-ng" - _pax_list_files einfo "$@" - for f in "$@"; do + #First try paxctl-ng + if type -p paxctl-ng > /dev/null && paxctl-ng -l ; then + einfo "XT PaX marking -${flags} ${f} with paxctl-ng" [[ ${dodefault} == "yes" ]] && paxctl-ng -d "${f}" [[ "${flags}" ]] || continue paxctl-ng -l -${flags} "${f}" && continue - xt_fail=1 - xt_failures="${tx_failures} ${f}" - done - - #Next try setfattr - elif type -p setfattr > /dev/null; then - [[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150 - einfo "XT PaX marking -${flags} with setfattr" - _pax_list_files einfo "$@" - for f in "$@"; do + fi + + #Next try setfattr + if type -p setfattr > /dev/null; then + [[ "${flags//[!Ee]}" ]] || flags+="e" # bug 447150 + einfo "XT PaX marking -${flags} ${f} with setfattr" [[ ${dodefault} == "yes" ]] && setfattr -x "user.pax.flags" "${f}" setfattr -n "user.pax.flags" -v "${flags}" "${f}" && continue - xt_fail=1 - xt_failures="${tx_failures} ${f}" - done - - #We failed to set XATTR_PAX flags - elif [[ ${PAX_MARKINGS} != "none" ]]; then - xt_failures="$*" - xt_fail=1 - fi - - if [[ ${xt_fail} == 1 ]]; then - elog "Failed to set XATTR_PAX markings -${flags} for:" - _pax_list_files elog ${xt_failures} - ret=1 - fi + fi + + #We failed to set XATTR_PAX flags + if [[ ${PAX_MARKINGS} != "none" ]]; then + elog "Failed to set XATTR_PAX markings -${flags} ${f}." + ret=1 + fi + done fi # [[ ${ret} == 1 ]] && elog "Executables may be killed by PaX kernels." |