commit: 5bd65cd07e1d72c1a5e3cb12453ac2077425842e Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sat Aug 27 00:02:44 2016 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sat Aug 27 23:17:45 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bd65cd0
pax-utils.eclass: do not attempt to create/convert a PT_PAX_FLAGS program header Support for the creation of PT_PAX_FLAGS program headers in ELF objects is being dropped in >=sys-devel/binutils-2.26.1. Running paxctl -C or -c either to create a PT_PAX_FLAGS header or to convert a PT_GNU_STACK header on such ELF objects results in broken executables. For backwards compatibility we continue to support PT_PAX_FLAGS markings with paxctl but remove these unsafe methods from the eclass. Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=590422 eclass/pax-utils.eclass | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass index 9ed1170..137f3efe 100644 --- a/eclass/pax-utils.eclass +++ b/eclass/pax-utils.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2015 Gentoo Foundation +# Copyright 1999-2016 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ @@ -6,8 +6,8 @@ # @MAINTAINER: # The Gentoo Linux Hardened Team <harde...@gentoo.org> # @AUTHOR: -# Original Author: Kevin F. Quinn <kevqu...@gentoo.org> -# Modifications for bugs #365825, #431092, #520198, @ ECLASS markup: Anthony G. Basile <bluen...@gentoo.org> +# Author: Kevin F. Quinn <kevqu...@gentoo.org> +# Author: Anthony G. Basile <bluen...@gentoo.org> # @BLURB: functions to provide PaX markings for hardened kernels # @DESCRIPTION: # @@ -77,16 +77,14 @@ pax-mark() { # _pax_list_files einfo "$@" for f in "$@"; do - # First try paxctl -> this might try to create/convert program headers. + # First try paxctl if type -p paxctl >/dev/null; then einfo "PT_PAX marking -${flags} ${f} with paxctl" - # First, try modifying the existing PAX_FLAGS header. + # We try modifying the existing PT_PAX_FLAGS header. paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue - # Second, try creating a PT_PAX header (works on ET_EXEC). - # Even though this is less safe, most exes need it. #463170 - paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue - # Third, try stealing the (unused under PaX) PT_GNU_STACK header - paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue + # We no longer try to create/convert a PT_PAX_FLAGS header, bug #590422 + # paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue + # paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue fi # Next try paxctl-ng -> this will not create/convert any program headers.
