Module Name: src
Committed By: rin
Date: Fri Jun 23 01:56:21 UTC 2023
Modified Files:
src/usr.sbin/paxctl: paxctl.8 paxctl.c
Log Message:
paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note.
Part of PR toolchain/52675
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/usr.sbin/paxctl/paxctl.8
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/paxctl/paxctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/paxctl/paxctl.8
diff -u src/usr.sbin/paxctl/paxctl.8:1.16 src/usr.sbin/paxctl/paxctl.8:1.17
--- src/usr.sbin/paxctl/paxctl.8:1.16 Tue Nov 8 08:21:52 2016
+++ src/usr.sbin/paxctl/paxctl.8 Fri Jun 23 01:56:21 2023
@@ -1,4 +1,4 @@
-.\" $NetBSD: paxctl.8,v 1.16 2016/11/08 08:21:52 wiz Exp $
+.\" $NetBSD: paxctl.8,v 1.17 2023/06/23 01:56:21 rin Exp $
.\"
.\" Copyright 2006 Elad Efrat <e...@netbsd.org>
.\" Copyright 2008 Christos Zoulas <chris...@netbsd.org>
@@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd November 7, 2016
+.Dd June 23, 2023
.Dt PAXCTL 8
.Os
.Sh NAME
@@ -31,7 +31,7 @@
.Nd list and modify PaX flags associated with an ELF program
.Sh SYNOPSIS
.Nm
-.Ar flags
+.Op -0 | flags
.Ar program ...
.Sh DESCRIPTION
The
@@ -44,7 +44,10 @@ can be found in the
.Xr security 7
manpage.
.Pp
-Each flag can be prefixed either with a
+If
+.Fl 0
+option is specified, all PaX flags (including reserved bits) are cleared.
+Otherwise, each flag can be prefixed either with a
.Dq +
or a
.Dq -
Index: src/usr.sbin/paxctl/paxctl.c
diff -u src/usr.sbin/paxctl/paxctl.c:1.12 src/usr.sbin/paxctl/paxctl.c:1.13
--- src/usr.sbin/paxctl/paxctl.c:1.12 Tue Oct 27 16:27:47 2009
+++ src/usr.sbin/paxctl/paxctl.c Fri Jun 23 01:56:21 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $ */
+/* $NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
@@ -34,7 +34,7 @@
#include <sys/cdefs.h>
#ifndef lint
#ifdef __RCSID
-__RCSID("$NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $");
+__RCSID("$NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $");
#endif
#endif /* not lint */
@@ -98,7 +98,8 @@ static const struct paxflag {
static void
usage(void)
{
- (void)fprintf(stderr, "Usage: %s [ <-|+><A|a|G|g|M|m> ] <file> ...\n",
+ (void)fprintf(stderr,
+ "Usage: %s [ -0 | <-|+><A|a|G|g|M|m> ] <file> ...\n",
#if HAVE_NBTOOL_CONFIG_H
"paxctl"
#else
@@ -165,7 +166,7 @@ pax_printflags(const char *name, int man
static int
process_one(const char *name, uint32_t add_flags, uint32_t del_flags,
- int list, int many)
+ int clear, int list, int many)
{
union {
Elf32_Ehdr h32;
@@ -279,8 +280,12 @@ process_one(const char *name, uint32_t a
break;
}
- pax_tag.flags |= SWAP(add_flags);
- pax_tag.flags &= SWAP(~del_flags);
+ if (clear) {
+ pax_tag.flags = 0;
+ } else {
+ pax_tag.flags |= SWAP(add_flags);
+ pax_tag.flags &= SWAP(~del_flags);
+ }
if (!pax_flags_sane(SWAP(pax_tag.flags))) {
warnx("New flags 0x%x don't make sense",
@@ -315,7 +320,7 @@ int
main(int argc, char **argv)
{
char *opt;
- int i, list = 0, bad = 0, many, minus;
+ int i, clear = 0, list = 0, bad = 0, many, minus;
uint32_t add_flags = 0, del_flags = 0;
setprogname(argv[0]);
@@ -326,6 +331,11 @@ main(int argc, char **argv)
for (i = 1; i < argc; i++) {
opt = argv[i];
+ if (strcmp(opt, "-0") == 0) {
+ clear = 1;
+ continue;
+ }
+
if (*opt == '-' || *opt == '+') {
uint32_t t;
minus = 0;
@@ -361,15 +371,21 @@ main(int argc, char **argv)
if (i == argc)
usage();
- if (add_flags || del_flags) {
- if (list)
- usage();
- } else
+ switch ((add_flags != 0 || del_flags != 0) + clear) {
+ case 0:
list = 1;
+ break;
+ case 1:
+ break;
+ default:
+ usage();
+ }
many = i != argc - 1;
- for (; i < argc; i++)
- bad |= process_one(argv[i], add_flags, del_flags, list, many);
+ for (; i < argc; i++) {
+ bad |= process_one(argv[i], add_flags, del_flags,
+ clear, list, many);
+ }
return bad ? EXIT_FAILURE : 0;
}
