diff options
-rw-r--r-- | sys-apps/gradm/ChangeLog | 9 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.2.1 | 2 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.4 | 2 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.5 | 2 | ||||
-rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.6 | 1 | ||||
-rw-r--r-- | sys-apps/gradm/files/gradm-1.6-chpax.c | 335 | ||||
-rw-r--r-- | sys-apps/gradm/gradm-1.2.1.ebuild | 40 | ||||
-rw-r--r-- | sys-apps/gradm/gradm-1.4.ebuild | 43 | ||||
-rw-r--r-- | sys-apps/gradm/gradm-1.6.ebuild (renamed from sys-apps/gradm/gradm-1.5.ebuild) | 26 |
9 files changed, 354 insertions, 106 deletions
diff --git a/sys-apps/gradm/ChangeLog b/sys-apps/gradm/ChangeLog index 9e0d5dd761e0..375960471d2e 100644 --- a/sys-apps/gradm/ChangeLog +++ b/sys-apps/gradm/ChangeLog @@ -1,9 +1,12 @@ # ChangeLog for sys-apps/gradm # Copyright 2002 Gentoo Technologies, Inc.; Distributed under the GPL -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.10 2002/12/17 19:46:53 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/ChangeLog,v 1.11 2003/01/14 06:16:34 vapier Exp $ + +*gradm-1.6 (13 Jan 2003) + + 13 Jan 2003; Mike Frysinger <vapier@gentoo.org> : + Version bump - 06 Dec 2002; Rodney Rees <manson@gentoo.org> : changed sparc ~sparc keywords - *gradm-1.5a (28 Oct 2002) 28 Oct 2002; Mike Frysinger <vapier@gentoo.org> : diff --git a/sys-apps/gradm/files/digest-gradm-1.2.1 b/sys-apps/gradm/files/digest-gradm-1.2.1 deleted file mode 100644 index 708b71ab7204..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.2.1 +++ /dev/null @@ -1,2 +0,0 @@ -MD5 c01a10eecf430eb4a58180900b37903a gradm-1.2.1.tar.gz 41602 -MD5 618ddb3d563f4e3cbfb13c9c770dd99c chpax.c 4776 diff --git a/sys-apps/gradm/files/digest-gradm-1.4 b/sys-apps/gradm/files/digest-gradm-1.4 deleted file mode 100644 index 9677c4a04b8f..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.4 +++ /dev/null @@ -1,2 +0,0 @@ -MD5 56e892fc50ca1fe0348712e849bb2e82 gradm-1.4.tar.gz 19382 -MD5 618ddb3d563f4e3cbfb13c9c770dd99c chpax.c 4776 diff --git a/sys-apps/gradm/files/digest-gradm-1.5 b/sys-apps/gradm/files/digest-gradm-1.5 deleted file mode 100644 index abb10ec69054..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.5 +++ /dev/null @@ -1,2 +0,0 @@ -MD5 9c4a4a81a7e8974a902fdf6a2ecbdb1e gradm-1.5.tar.gz 27323 -MD5 618ddb3d563f4e3cbfb13c9c770dd99c chpax.c 4776 diff --git a/sys-apps/gradm/files/digest-gradm-1.6 b/sys-apps/gradm/files/digest-gradm-1.6 new file mode 100644 index 000000000000..d5911cc297de --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-1.6 @@ -0,0 +1 @@ +MD5 7f1eacca4c0be8a1e5c088a38c249d32 gradm-1.6.tar.gz 29934 diff --git a/sys-apps/gradm/files/gradm-1.6-chpax.c b/sys-apps/gradm/files/gradm-1.6-chpax.c new file mode 100644 index 000000000000..9dd3dd880e36 --- /dev/null +++ b/sys-apps/gradm/files/gradm-1.6-chpax.c @@ -0,0 +1,335 @@ +/* + * This program manages various PaX related flags for ELF and a.out binaries. + * The flags only have effect when running the patched Linux kernel. + * + * Written by Solar Designer and placed in the public domain. + * + * Adapted to PaX by the PaX Team + * + * Nov 10 2002 : Added multi{options,files} cmdline, zeroflag, nicer output + * (+ double output if flags are changed and -v is specified), more error + * handling. + * + * Dec 11 2002 : Explicit error messages and return value, even more + * error handling . (-jv) + * + */ +#include <stdio.h> +#include <string.h> +#include <sys/types.h> +#include <fcntl.h> +#include <unistd.h> +#include <linux/elf.h> +#include <linux/a.out.h> + +#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-exec pages */ +#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ +#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ +#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ +#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ +#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-exec pages */ + +#define XCLOSE(fd) \ +do \ +{ \ + if (close(fd)) \ + perror("close"); \ +} \ +while (0) + +static struct elf32_hdr header_elf; +static struct exec header_aout; +static void *header; +static int header_size; +static int fd; + +static unsigned long (*get_flags)(); +static void (*put_flags)(unsigned long); + + +static void print_flags(unsigned long flags) +{ + printf(" * Paging based PAGE_EXEC : %s \n" + " * Trampolines : %s \n" + " * mprotect() : %s \n" + " * mmap() base : %s \n" + " * ET_EXEC base : %s \n" + " * Segmentation based PAGE_EXEC : %s \n", + flags & HF_PAX_PAGEEXEC + ? "disabled" : flags & HF_PAX_SEGMEXEC ? "enabled" : "enabled (overridden)", + flags & HF_PAX_EMUTRAMP + ? "emulated" : "not emulated", + flags & HF_PAX_MPROTECT + ? "not restricted" : "restricted", + flags & HF_PAX_RANDMMAP + ? "not randomized" : "randomized", + flags & HF_PAX_RANDEXEC + ? "randomized" : "not randomized", + flags & HF_PAX_SEGMEXEC + ? "disabled" : "enabled"); +} + +static unsigned long get_flags_elf() +{ + return (header_elf.e_flags); +} + +static void put_flags_elf(unsigned long flags) +{ + header_elf.e_flags = flags; +} + +static unsigned long get_flags_aout() +{ + return (N_FLAGS(header_aout)); +} + +static void put_flags_aout(unsigned long flags) +{ + N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); +} + +static int read_header(char *name, int mode) +{ + char *ptr; + int size; + int block; + + if ((fd = open(name, mode)) < 0) + return 1; + + ptr = (char *) &header_elf; + size = sizeof (header_elf); + + do + { + block = read(fd, ptr, size); + if (block <= 0) + return (block ? 1 : 2); + ptr += block; size -= block; + } + while (size > 0); + + memcpy(&header_aout, &header_elf, sizeof(header_aout)); + + if (!strncmp(header_elf.e_ident, ELFMAG, SELFMAG)) + { + if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) + return 2; + if (header_elf.e_machine != EM_386) + return 3; + header = &header_elf; + header_size = sizeof(header_elf); + get_flags = get_flags_elf; + put_flags = put_flags_elf; + } + + else if (N_MAGIC(header_aout) == NMAGIC || + N_MAGIC(header_aout) == ZMAGIC || + N_MAGIC(header_aout) == QMAGIC) + { + if (N_MACHTYPE(header_aout) != M_386) + return 3; + header = &header_aout; + header_size = 4; + get_flags = get_flags_aout; + put_flags = put_flags_aout; + } + + else + return (2); + + return (0); +} + +int write_header() +{ + char *ptr; + int size; + int block; + + if (lseek(fd, 0, SEEK_SET)) + return 1; + + ptr = (char *) header; + size = header_size; + + do + { + block = write(fd, ptr, size); + if (block <= 0) + break; + ptr += block; + size -= block; + } + while (size > 0); + + return size; +} + + +#define USAGE \ +"Usage: %s OPTIONS FILE1 FILE2 FILEN ...\n" \ +"Manage PaX flags for binaries\n\n" \ +" -P\tenforce paging based non-executable pages\n" \ +" -p\tdo not enforce paging based non-executable pages\n" \ +" -E\temulate trampolines\n" \ +" -e\tdo not emulate trampolines\n" \ +" -M\trestrict mprotect()\n" \ +" -m\tdo not restrict mprotect()\n" \ +" -R\trandomize mmap() base [ELF only]\n" \ +" -r\tdo not randomize mmap() base [ELF only]\n" \ +" -X\trandomize ET_EXEC base [ELF only]\n" \ +" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ +" -S\tenforce segmentation based non-executable pages\n" \ +" -s\tdo not enforce segmentation based non-executable pages\n" \ +" -v\tview current flag mask \n" \ +" -z\tzero flag mask (next flags still apply)\n\n" \ +"The flags only have effect when running the patched Linux kernel.\n" + + +void usage(char *name) +{ + printf(USAGE, (name ? name : "chpax")); + exit(1); +} + +unsigned long scan_flags(unsigned long flags, char **argv, int *view) +{ + int index; + + for (index = 1; argv[1][index]; index++) + switch (argv[1][index]) + { + + case 'p': + flags |= HF_PAX_PAGEEXEC; + continue ; + + case 'P': + flags = (flags & ~HF_PAX_PAGEEXEC) | HF_PAX_SEGMEXEC; + continue ; + + case 'E': + flags |= HF_PAX_EMUTRAMP; + continue ; + + case 'e': + flags = (flags & ~HF_PAX_EMUTRAMP); + continue ; + + case 'm': + flags |= HF_PAX_MPROTECT; + continue ; + + case 'M': + flags = (flags & ~HF_PAX_MPROTECT); + continue ; + + case 'r': + flags |= HF_PAX_RANDMMAP; + continue ; + + case 'R': + flags = (flags & ~HF_PAX_RANDMMAP); + continue ; + + case 'X': + flags |= HF_PAX_RANDEXEC; + continue ; + + case 'x': + flags = (flags & ~HF_PAX_RANDEXEC); + continue ; + + case 's': + flags |= HF_PAX_SEGMEXEC; + continue ; + + case 'S': + flags = (flags & ~HF_PAX_SEGMEXEC) | HF_PAX_PAGEEXEC; + continue ; + + case 'v': + *view = 1; + continue ; + + case 'z': + flags = 0; + continue ; + + default: + fprintf(stderr, "Unknown option %c \n", argv[1][index]); + usage(argv[0]); + } + + return (flags); +} + + +int main(int argc, char **argv) +{ + unsigned long flags; + unsigned long aflags; + unsigned int index; + int mode; + char *current; + int error = 0; + int view = 0; + + if (argc < 3 || argv[1][0] != '-') + usage(argv[0]); + + for (index = 2, current = argv[index]; current; current = argv[++index]) + { + + mode = (argc == 3 && !strcmp(argv[1], "-v") ? O_RDONLY : O_RDWR); + + error = read_header(current, mode); + switch (error) + { + case 1: + perror(current); + continue ; + case 2: + fprintf(stderr, "%s: Unknown file type (passed) \n", current); + XCLOSE(fd); + continue ; + case 3: + fprintf(stderr, "%s: Wrong architecture (passed) \n", current); + XCLOSE(fd); + continue ; + } + + aflags = get_flags(); + flags = scan_flags(aflags, argv, &view); + + if (view) + { + printf("\n----[ Current flags for %s ]---- \n\n", current); + print_flags(aflags); + puts(""); + } + + put_flags(flags); + + if (flags != aflags && write_header()) + { + perror(current); + error = 4; + } + + if (error) + fprintf(stderr, "%s : Flags were not updated . \n", current); + else if (view && aflags != flags) + { + printf("\n----[ Updated flags for %s ]---- \n\n", current); + print_flags(flags); + puts(""); + } + + XCLOSE(fd); + } + + return (error); +} diff --git a/sys-apps/gradm/gradm-1.2.1.ebuild b/sys-apps/gradm/gradm-1.2.1.ebuild deleted file mode 100644 index fa1babbb588a..000000000000 --- a/sys-apps/gradm/gradm-1.2.1.ebuild +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 1999-2002 Gentoo Technologies, Inc. -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.2.1.ebuild,v 1.9 2002/12/09 04:37:25 manson Exp $ - -DESCRIPTION="Administratinve interface to grsecurity" -SRC_URI="http://www.grsecurity.net/gradm-1.2.1.tar.gz - http://pageexec.virtualave.net/chpax.c" -HOMEPAGE="http://www.grsecurity.net" -KEYWORDS="x86 ppc sparc " -SLOT="0" -#DEPEND="" -LICENSE="GPL-2" - -src_unpack() { - unpack ${P}.tar.gz - cd ${S} - cp ${DISTDIR}/chpax.c . -} - -src_compile() { - ./configure || die - emake || die - emake chpax || die -} - -src_install() { - dodir /sbin /etc/grsec /etc/init.d /etc/conf.d /usr/share/man/man8 - - cp gradm ${D}/sbin - gzip -9 gradm.8 - cp gradm.8.gz ${D}/usr/share/man/man8 - cp chpax ${D}/sbin - chmod 0700 ${D}/sbin/* - cp ${FILESDIR}/grsecurity.rc ${D}/etc/init.d/grsecurity - chmod 755 ${D}/etc/init.d/* - cp ${FILESDIR}/grsecurity ${D}/etc/conf.d/grsecurity - chmod 644 ${D}/etc/conf.d/* - - dodoc ChangeLog* INSTALL COPYING -} diff --git a/sys-apps/gradm/gradm-1.4.ebuild b/sys-apps/gradm/gradm-1.4.ebuild deleted file mode 100644 index 405e10adcfb2..000000000000 --- a/sys-apps/gradm/gradm-1.4.ebuild +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 1999-2002 Gentoo Technologies, Inc. -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.4.ebuild,v 1.4 2002/10/28 05:53:00 vapier Exp $ - -DESCRIPTION="Administrative interface to grsecurity" -SRC_URI="http://www.grsecurity.net/gradm-1.4.tar.gz - http://pageexec.virtualave.net/chpax.c" -HOMEPAGE="http://www.grsecurity.net" -LICENSE="GPL-2" -KEYWORDS="x86" -SLOT="0" - -DEPEND="sys-devel/bison - sys-devel/flex" -RDEPEND="" - -S="${WORKDIR}/${PN}" - -src_unpack() { - unpack ${P}.tar.gz - cd ${S} - cp ${DISTDIR}/chpax.c . - mv Makefile Makefile.orig - sed <Makefile.orig >Makefile \ - -e 's|YACC=/usr/bin/yacc|YACC=/usr/bin/bison|' \ - -e 's|$(YACC) -d|$(YACC) -y -d|' -} - -src_compile() { - emake || die "compile problem" - emake chpax || die "compile problem" -} - -src_install() { - doman gradm.8 - exeinto /etc/init.d - newexe ${FILESDIR}/grsecurity.rc grsecurity - insinto /etc/conf.d - doins ${FILESDIR}/grsecurity - into / - dosbin gradm chpax - chmod 700 ${D}/sbin/gradm ${D}/sbin/chpax -} diff --git a/sys-apps/gradm/gradm-1.5.ebuild b/sys-apps/gradm/gradm-1.6.ebuild index 6845b359510a..e7a9c69ec779 100644 --- a/sys-apps/gradm/gradm-1.5.ebuild +++ b/sys-apps/gradm/gradm-1.6.ebuild @@ -1,13 +1,13 @@ # Copyright 1999-2002 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.5.ebuild,v 1.2 2002/10/04 06:25:13 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/gradm-1.6.ebuild,v 1.1 2003/01/14 06:16:34 vapier Exp $ DESCRIPTION="ACL administrative interface to grsecurity" -SRC_URI="http://www.grsecurity.net/${P}.tar.gz - http://pageexec.virtualave.net/chpax.c" +SRC_URI="http://www.grsecurity.net/${P}.tar.gz" HOMEPAGE="http://www.grsecurity.net/" + LICENSE="GPL-2" -KEYWORDS="x86" +KEYWORDS="~x86" SLOT="0" DEPEND="sys-devel/bison @@ -17,21 +17,18 @@ RDEPEND="" S="${WORKDIR}/${PN}" src_unpack() { - unpack ${P}.tar.gz + unpack ${A} cd ${S} - cp ${DISTDIR}/chpax.c . + cp ${FILESDIR}/${P}-chpax.c chpax.c - mv Makefile Makefile.orig - sed <Makefile.orig >Makefile \ - -e 's|YACC=/usr/bin/yacc|YACC=/usr/bin/bison|' \ - -e 's|$(YACC) -d|$(YACC) -y -d|' \ - -e "s|-O2|${CFLAGS}|" + mv Makefile{,.orig} + sed -e "s|-O2|${CFLAGS}|" Makefile.orig > Makefile } src_compile() { - emake || die "compile problem" - emake chpax || die "compile problem" + emake CC="${CC}" || die "compile problem" + emake CC="${CC}" chpax || die "compile problem" } src_install() { @@ -43,5 +40,6 @@ src_install() { doins ${FILESDIR}/grsecurity into / dosbin gradm chpax - chmod 700 ${D}/sbin/gradm ${D}/sbin/chpax + fperms 700 /sbin/gradm + fperms 700 /sbin/chpax } |