diff options
| author |   Ned Ludd <solar@gentoo.org> | 2003-06-16 18:37:12 +0000 |
|---|---|---|
| committer | Ned Ludd <solar@gentoo.org> | 2003-06-16 18:37:12 +0000 |
| commit | 422ad296f95d85bd81c2b533c76d46f09b474af0 (patch) | |
| tree | 227ee6eeca0a4e725df857b16d8b092c93805bc8 /sys-apps/gradm/files | |
| parent | version bump, removed old versions of gradm from portage and old chpax stuff ... (diff) | |
| download | gentoo-2-422ad296f95d85bd81c2b533c76d46f09b474af0.tar.gz gentoo-2-422ad296f95d85bd81c2b533c76d46f09b474af0.tar.bz2 gentoo-2-422ad296f95d85bd81c2b533c76d46f09b474af0.zip | |
version bump, removed old versions of gradm from portage and old chpax stuff in files, started the proccess of unmasking gradm for other arches added ~ppc ~sparc as these are known to work
Diffstat (limited to 'sys-apps/gradm/files')
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.5a | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.6 | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.7b | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.9.10 | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.9.9g | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/digest-gradm-1.9.9h | 1 | ||||
| -rw-r--r-- | sys-apps/gradm/files/gradm-1.5a-chpax.c | 244 | ||||
| -rw-r--r-- | sys-apps/gradm/files/gradm-1.6-chpax.c | 335 | ||||
| -rw-r--r-- | sys-apps/gradm/files/gradm-1.7b-chpax.c | 335 | ||||
| -rw-r--r-- | sys-apps/gradm/files/gradm-chpax.c | 335 | ||||
| -rw-r--r-- | sys-apps/gradm/files/gradm_parse.c-1.9.x.patch | 13 | ||||
| -rw-r--r-- | sys-apps/gradm/files/grsecurity | 3 | ||||
| -rw-r--r-- | sys-apps/gradm/files/grsecurity.rc | 38 |
13 files changed, 34 insertions, 1275 deletions
diff --git a/sys-apps/gradm/files/digest-gradm-1.5a b/sys-apps/gradm/files/digest-gradm-1.5a deleted file mode 100644 index 251d7c6f7f18..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.5a +++ /dev/null @@ -1 +0,0 @@ -MD5 fe58cba7cacdee4c0329914235d4e4ab gradm-1.5a.tar.gz 26954 diff --git a/sys-apps/gradm/files/digest-gradm-1.6 b/sys-apps/gradm/files/digest-gradm-1.6 deleted file mode 100644 index d5911cc297de..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.6 +++ /dev/null @@ -1 +0,0 @@ -MD5 7f1eacca4c0be8a1e5c088a38c249d32 gradm-1.6.tar.gz 29934 diff --git a/sys-apps/gradm/files/digest-gradm-1.7b b/sys-apps/gradm/files/digest-gradm-1.7b deleted file mode 100644 index 2ffc54039d04..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.7b +++ /dev/null @@ -1 +0,0 @@ -MD5 31d6516a43128fdcfcb977f4e9d461c2 gradm-1.7b.tar.gz 30844 diff --git a/sys-apps/gradm/files/digest-gradm-1.9.10 b/sys-apps/gradm/files/digest-gradm-1.9.10 new file mode 100644 index 000000000000..020c9e354be4 --- /dev/null +++ b/sys-apps/gradm/files/digest-gradm-1.9.10 @@ -0,0 +1 @@ +MD5 cec67e20d3c7780854318e8ed1945334 gradm-1.9.10.tar.gz 37945 diff --git a/sys-apps/gradm/files/digest-gradm-1.9.9g b/sys-apps/gradm/files/digest-gradm-1.9.9g deleted file mode 100644 index b16017ee8f51..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.9.9g +++ /dev/null @@ -1 +0,0 @@ -MD5 abbe738ad06dae1100c4a984cf9b8702 gradm-1.9.9g.tar.gz 36727 diff --git a/sys-apps/gradm/files/digest-gradm-1.9.9h b/sys-apps/gradm/files/digest-gradm-1.9.9h deleted file mode 100644 index d6b226712487..000000000000 --- a/sys-apps/gradm/files/digest-gradm-1.9.9h +++ /dev/null @@ -1 +0,0 @@ -MD5 7c5dce62271942dc932b2c08848d9163 gradm-1.9.9h.tar.gz 36878 diff --git a/sys-apps/gradm/files/gradm-1.5a-chpax.c b/sys-apps/gradm/files/gradm-1.5a-chpax.c deleted file mode 100644 index d5482d1c895c..000000000000 --- a/sys-apps/gradm/files/gradm-1.5a-chpax.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * This program manages various PaX related flags for ELF and a.out binaries. - * The flags only have effect when running the patched Linux kernel. - * - * Written by Solar Designer and placed in the public domain. - * - * Adapted to PaX by the PaX Team. - */ - -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <fcntl.h> -#include <unistd.h> -#include <linux/elf.h> -#include <linux/a.out.h> - -#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-executable pages */ -#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ -#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ -#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ -#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ -#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-executable pages */ - -static struct elf32_hdr header_elf; -static struct exec header_aout; -static void *header; -static int header_size; -static int fd; - -static unsigned long (*get_flags)(); -static void (*put_flags)(unsigned long); - -static unsigned long get_flags_elf() -{ - return header_elf.e_flags; -} - -static void put_flags_elf(unsigned long flags) -{ - header_elf.e_flags = flags; -} - -static unsigned long get_flags_aout() -{ - return N_FLAGS(header_aout); -} - -static void put_flags_aout(unsigned long flags) -{ - N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); -} - -static int read_header(char *name, int mode) -{ - char *ptr; - int size, block; - - if ((fd = open(name, mode)) < 0) return 1; - - ptr = (char *)&header_elf; - size = sizeof(header_elf); - do { - block = read(fd, ptr, size); - if (block <= 0) { - close(fd); - return block ? 1 : 2; - } - ptr += block; size -= block; - } while (size > 0); - - memcpy(&header_aout, &header_elf, sizeof(header_aout)); - - if (!strncmp(header_elf.e_ident, ELFMAG, SELFMAG)) { - if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) return 2; - if (header_elf.e_machine != EM_386) return 3; - header = &header_elf; header_size = sizeof(header_elf); - get_flags = get_flags_elf; put_flags = put_flags_elf; - } else - if (N_MAGIC(header_aout) == NMAGIC || - N_MAGIC(header_aout) == ZMAGIC || - N_MAGIC(header_aout) == QMAGIC) { - if (N_MACHTYPE(header_aout) != M_386) return 3; - header = &header_aout; header_size = 4; - get_flags = get_flags_aout; put_flags = put_flags_aout; - } else return 2; - - return 0; -} - -int write_header() -{ - char *ptr; - int size, block; - - if (lseek(fd, 0, SEEK_SET)) return 1; - - ptr = (char *)header; - size = header_size; - do { - block = write(fd, ptr, size); - if (block <= 0) break; - ptr += block; size -= block; - } while (size > 0); - - return size; -} - -#define USAGE \ -"Usage: %s OPTIONS FILE...\n" \ -"Manage PaX flags for binaries\n\n" \ -" -P\tenforce paging based non-executable pages\n" \ -" -p\tdo not enforce paging based non-executable pages\n" \ -" -E\temulate trampolines\n" \ -" -e\tdo not emulate trampolines\n" \ -" -M\trestrict mprotect()\n" \ -" -m\tdo not restrict mprotect()\n" \ -" -R\trandomize mmap() base [ELF only]\n" \ -" -r\tdo not randomize mmap() base [ELF only]\n" \ -" -X\trandomize ET_EXEC base [ELF only]\n" \ -" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ -" -S\tenforce segmentation based non-executable pages\n" \ -" -s\tdo not enforce segmentation based non-executable pages\n" \ -" -v\tview current flag state\n\n" \ -"The flags only have effect when running the patched Linux kernel.\n" - -void usage(char *name) -{ - printf(USAGE, name ? name : "chpax"); - exit(1); -} - -int main(int argc, char **argv) -{ - char **current; - unsigned long flags; - int error = 0; - int mode; - - if (argc < 3) usage(argv[0]); - if (strlen(argv[1]) != 2) usage(argv[0]); - if (argv[1][0] != '-' || !strchr("pPeEmMrRxXsSv", argv[1][1])) usage(argv[0]); - - current = &argv[2]; - do { - mode = argv[1][1] == 'v' ? O_RDONLY : O_RDWR; - switch (read_header(*current, mode)) { - case 1: - perror(*current); - error = 1; continue; - - case 2: - printf("%s: Unknown file type\n", *current); - error = 1; continue; - - case 3: - printf("%s: Wrong architecture\n", *current); - error = 1; continue; - } - - flags = get_flags(); - - switch (argv[1][1]) { - case 'p': - put_flags(flags | HF_PAX_PAGEEXEC); - break; - - case 'P': - put_flags((flags & ~HF_PAX_PAGEEXEC)|HF_PAX_SEGMEXEC); - break; - - case 'E': - put_flags(flags | HF_PAX_EMUTRAMP); - break; - - case 'e': - put_flags(flags & ~HF_PAX_EMUTRAMP); - break; - - case 'm': - put_flags(flags | HF_PAX_MPROTECT); - break; - - case 'M': - put_flags(flags & ~HF_PAX_MPROTECT); - break; - - case 'r': - put_flags(flags | HF_PAX_RANDMMAP); - break; - - case 'R': - put_flags(flags & ~HF_PAX_RANDMMAP); - break; - - case 'X': - put_flags(flags | HF_PAX_RANDEXEC); - break; - - case 'x': - put_flags(flags & ~HF_PAX_RANDEXEC); - break; - - case 's': - put_flags(flags | HF_PAX_SEGMEXEC); - break; - - case 'S': - put_flags((flags & ~HF_PAX_SEGMEXEC)|HF_PAX_PAGEEXEC); - break; - - default: - printf("%s: " - "paging based PAGE_EXEC is %s, " - "trampolines are %s, " - "mprotect() is %s, " - "mmap() base is %s, " - "ET_EXEC base is %s, " - "segmentation based PAGE_EXEC is %s\n", *current, - (flags & HF_PAX_PAGEEXEC) || !(flags & HF_PAX_SEGMEXEC) - ? "disabled" : "enabled", - flags & HF_PAX_EMUTRAMP - ? "emulated" : "not emulated", - flags & HF_PAX_MPROTECT - ? "not restricted" : "restricted", - flags & HF_PAX_RANDMMAP - ? "not randomized" : "randomized", - flags & HF_PAX_RANDEXEC - ? "randomized" : "not randomized", - flags & HF_PAX_SEGMEXEC - ? "disabled" : "enabled"); - } - - if (flags != get_flags()) - if (write_header()) { - perror(*current); - error = 1; - } - - close(fd); - } while (*++current); - - return error; -} diff --git a/sys-apps/gradm/files/gradm-1.6-chpax.c b/sys-apps/gradm/files/gradm-1.6-chpax.c deleted file mode 100644 index 9dd3dd880e36..000000000000 --- a/sys-apps/gradm/files/gradm-1.6-chpax.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * This program manages various PaX related flags for ELF and a.out binaries. - * The flags only have effect when running the patched Linux kernel. - * - * Written by Solar Designer and placed in the public domain. - * - * Adapted to PaX by the PaX Team - * - * Nov 10 2002 : Added multi{options,files} cmdline, zeroflag, nicer output - * (+ double output if flags are changed and -v is specified), more error - * handling. - * - * Dec 11 2002 : Explicit error messages and return value, even more - * error handling . (-jv) - * - */ -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <fcntl.h> -#include <unistd.h> -#include <linux/elf.h> -#include <linux/a.out.h> - -#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-exec pages */ -#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ -#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ -#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ -#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ -#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-exec pages */ - -#define XCLOSE(fd) \ -do \ -{ \ - if (close(fd)) \ - perror("close"); \ -} \ -while (0) - -static struct elf32_hdr header_elf; -static struct exec header_aout; -static void *header; -static int header_size; -static int fd; - -static unsigned long (*get_flags)(); -static void (*put_flags)(unsigned long); - - -static void print_flags(unsigned long flags) -{ - printf(" * Paging based PAGE_EXEC : %s \n" - " * Trampolines : %s \n" - " * mprotect() : %s \n" - " * mmap() base : %s \n" - " * ET_EXEC base : %s \n" - " * Segmentation based PAGE_EXEC : %s \n", - flags & HF_PAX_PAGEEXEC - ? "disabled" : flags & HF_PAX_SEGMEXEC ? "enabled" : "enabled (overridden)", - flags & HF_PAX_EMUTRAMP - ? "emulated" : "not emulated", - flags & HF_PAX_MPROTECT - ? "not restricted" : "restricted", - flags & HF_PAX_RANDMMAP - ? "not randomized" : "randomized", - flags & HF_PAX_RANDEXEC - ? "randomized" : "not randomized", - flags & HF_PAX_SEGMEXEC - ? "disabled" : "enabled"); -} - -static unsigned long get_flags_elf() -{ - return (header_elf.e_flags); -} - -static void put_flags_elf(unsigned long flags) -{ - header_elf.e_flags = flags; -} - -static unsigned long get_flags_aout() -{ - return (N_FLAGS(header_aout)); -} - -static void put_flags_aout(unsigned long flags) -{ - N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); -} - -static int read_header(char *name, int mode) -{ - char *ptr; - int size; - int block; - - if ((fd = open(name, mode)) < 0) - return 1; - - ptr = (char *) &header_elf; - size = sizeof (header_elf); - - do - { - block = read(fd, ptr, size); - if (block <= 0) - return (block ? 1 : 2); - ptr += block; size -= block; - } - while (size > 0); - - memcpy(&header_aout, &header_elf, sizeof(header_aout)); - - if (!strncmp(header_elf.e_ident, ELFMAG, SELFMAG)) - { - if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) - return 2; - if (header_elf.e_machine != EM_386) - return 3; - header = &header_elf; - header_size = sizeof(header_elf); - get_flags = get_flags_elf; - put_flags = put_flags_elf; - } - - else if (N_MAGIC(header_aout) == NMAGIC || - N_MAGIC(header_aout) == ZMAGIC || - N_MAGIC(header_aout) == QMAGIC) - { - if (N_MACHTYPE(header_aout) != M_386) - return 3; - header = &header_aout; - header_size = 4; - get_flags = get_flags_aout; - put_flags = put_flags_aout; - } - - else - return (2); - - return (0); -} - -int write_header() -{ - char *ptr; - int size; - int block; - - if (lseek(fd, 0, SEEK_SET)) - return 1; - - ptr = (char *) header; - size = header_size; - - do - { - block = write(fd, ptr, size); - if (block <= 0) - break; - ptr += block; - size -= block; - } - while (size > 0); - - return size; -} - - -#define USAGE \ -"Usage: %s OPTIONS FILE1 FILE2 FILEN ...\n" \ -"Manage PaX flags for binaries\n\n" \ -" -P\tenforce paging based non-executable pages\n" \ -" -p\tdo not enforce paging based non-executable pages\n" \ -" -E\temulate trampolines\n" \ -" -e\tdo not emulate trampolines\n" \ -" -M\trestrict mprotect()\n" \ -" -m\tdo not restrict mprotect()\n" \ -" -R\trandomize mmap() base [ELF only]\n" \ -" -r\tdo not randomize mmap() base [ELF only]\n" \ -" -X\trandomize ET_EXEC base [ELF only]\n" \ -" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ -" -S\tenforce segmentation based non-executable pages\n" \ -" -s\tdo not enforce segmentation based non-executable pages\n" \ -" -v\tview current flag mask \n" \ -" -z\tzero flag mask (next flags still apply)\n\n" \ -"The flags only have effect when running the patched Linux kernel.\n" - - -void usage(char *name) -{ - printf(USAGE, (name ? name : "chpax")); - exit(1); -} - -unsigned long scan_flags(unsigned long flags, char **argv, int *view) -{ - int index; - - for (index = 1; argv[1][index]; index++) - switch (argv[1][index]) - { - - case 'p': - flags |= HF_PAX_PAGEEXEC; - continue ; - - case 'P': - flags = (flags & ~HF_PAX_PAGEEXEC) | HF_PAX_SEGMEXEC; - continue ; - - case 'E': - flags |= HF_PAX_EMUTRAMP; - continue ; - - case 'e': - flags = (flags & ~HF_PAX_EMUTRAMP); - continue ; - - case 'm': - flags |= HF_PAX_MPROTECT; - continue ; - - case 'M': - flags = (flags & ~HF_PAX_MPROTECT); - continue ; - - case 'r': - flags |= HF_PAX_RANDMMAP; - continue ; - - case 'R': - flags = (flags & ~HF_PAX_RANDMMAP); - continue ; - - case 'X': - flags |= HF_PAX_RANDEXEC; - continue ; - - case 'x': - flags = (flags & ~HF_PAX_RANDEXEC); - continue ; - - case 's': - flags |= HF_PAX_SEGMEXEC; - continue ; - - case 'S': - flags = (flags & ~HF_PAX_SEGMEXEC) | HF_PAX_PAGEEXEC; - continue ; - - case 'v': - *view = 1; - continue ; - - case 'z': - flags = 0; - continue ; - - default: - fprintf(stderr, "Unknown option %c \n", argv[1][index]); - usage(argv[0]); - } - - return (flags); -} - - -int main(int argc, char **argv) -{ - unsigned long flags; - unsigned long aflags; - unsigned int index; - int mode; - char *current; - int error = 0; - int view = 0; - - if (argc < 3 || argv[1][0] != '-') - usage(argv[0]); - - for (index = 2, current = argv[index]; current; current = argv[++index]) - { - - mode = (argc == 3 && !strcmp(argv[1], "-v") ? O_RDONLY : O_RDWR); - - error = read_header(current, mode); - switch (error) - { - case 1: - perror(current); - continue ; - case 2: - fprintf(stderr, "%s: Unknown file type (passed) \n", current); - XCLOSE(fd); - continue ; - case 3: - fprintf(stderr, "%s: Wrong architecture (passed) \n", current); - XCLOSE(fd); - continue ; - } - - aflags = get_flags(); - flags = scan_flags(aflags, argv, &view); - - if (view) - { - printf("\n----[ Current flags for %s ]---- \n\n", current); - print_flags(aflags); - puts(""); - } - - put_flags(flags); - - if (flags != aflags && write_header()) - { - perror(current); - error = 4; - } - - if (error) - fprintf(stderr, "%s : Flags were not updated . \n", current); - else if (view && aflags != flags) - { - printf("\n----[ Updated flags for %s ]---- \n\n", current); - print_flags(flags); - puts(""); - } - - XCLOSE(fd); - } - - return (error); -} diff --git a/sys-apps/gradm/files/gradm-1.7b-chpax.c b/sys-apps/gradm/files/gradm-1.7b-chpax.c deleted file mode 100644 index 9dd3dd880e36..000000000000 --- a/sys-apps/gradm/files/gradm-1.7b-chpax.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * This program manages various PaX related flags for ELF and a.out binaries. - * The flags only have effect when running the patched Linux kernel. - * - * Written by Solar Designer and placed in the public domain. - * - * Adapted to PaX by the PaX Team - * - * Nov 10 2002 : Added multi{options,files} cmdline, zeroflag, nicer output - * (+ double output if flags are changed and -v is specified), more error - * handling. - * - * Dec 11 2002 : Explicit error messages and return value, even more - * error handling . (-jv) - * - */ -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <fcntl.h> -#include <unistd.h> -#include <linux/elf.h> -#include <linux/a.out.h> - -#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-exec pages */ -#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ -#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ -#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ -#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ -#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-exec pages */ - -#define XCLOSE(fd) \ -do \ -{ \ - if (close(fd)) \ - perror("close"); \ -} \ -while (0) - -static struct elf32_hdr header_elf; -static struct exec header_aout; -static void *header; -static int header_size; -static int fd; - -static unsigned long (*get_flags)(); -static void (*put_flags)(unsigned long); - - -static void print_flags(unsigned long flags) -{ - printf(" * Paging based PAGE_EXEC : %s \n" - " * Trampolines : %s \n" - " * mprotect() : %s \n" - " * mmap() base : %s \n" - " * ET_EXEC base : %s \n" - " * Segmentation based PAGE_EXEC : %s \n", - flags & HF_PAX_PAGEEXEC - ? "disabled" : flags & HF_PAX_SEGMEXEC ? "enabled" : "enabled (overridden)", - flags & HF_PAX_EMUTRAMP - ? "emulated" : "not emulated", - flags & HF_PAX_MPROTECT - ? "not restricted" : "restricted", - flags & HF_PAX_RANDMMAP - ? "not randomized" : "randomized", - flags & HF_PAX_RANDEXEC - ? "randomized" : "not randomized", - flags & HF_PAX_SEGMEXEC - ? "disabled" : "enabled"); -} - -static unsigned long get_flags_elf() -{ - return (header_elf.e_flags); -} - -static void put_flags_elf(unsigned long flags) -{ - header_elf.e_flags = flags; -} - -static unsigned long get_flags_aout() -{ - return (N_FLAGS(header_aout)); -} - -static void put_flags_aout(unsigned long flags) -{ - N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); -} - -static int read_header(char *name, int mode) -{ - char *ptr; - int size; - int block; - - if ((fd = open(name, mode)) < 0) - return 1; - - ptr = (char *) &header_elf; - size = sizeof (header_elf); - - do - { - block = read(fd, ptr, size); - if (block <= 0) - return (block ? 1 : 2); - ptr += block; size -= block; - } - while (size > 0); - - memcpy(&header_aout, &header_elf, sizeof(header_aout)); - - if (!strncmp(header_elf.e_ident, ELFMAG, SELFMAG)) - { - if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) - return 2; - if (header_elf.e_machine != EM_386) - return 3; - header = &header_elf; - header_size = sizeof(header_elf); - get_flags = get_flags_elf; - put_flags = put_flags_elf; - } - - else if (N_MAGIC(header_aout) == NMAGIC || - N_MAGIC(header_aout) == ZMAGIC || - N_MAGIC(header_aout) == QMAGIC) - { - if (N_MACHTYPE(header_aout) != M_386) - return 3; - header = &header_aout; - header_size = 4; - get_flags = get_flags_aout; - put_flags = put_flags_aout; - } - - else - return (2); - - return (0); -} - -int write_header() -{ - char *ptr; - int size; - int block; - - if (lseek(fd, 0, SEEK_SET)) - return 1; - - ptr = (char *) header; - size = header_size; - - do - { - block = write(fd, ptr, size); - if (block <= 0) - break; - ptr += block; - size -= block; - } - while (size > 0); - - return size; -} - - -#define USAGE \ -"Usage: %s OPTIONS FILE1 FILE2 FILEN ...\n" \ -"Manage PaX flags for binaries\n\n" \ -" -P\tenforce paging based non-executable pages\n" \ -" -p\tdo not enforce paging based non-executable pages\n" \ -" -E\temulate trampolines\n" \ -" -e\tdo not emulate trampolines\n" \ -" -M\trestrict mprotect()\n" \ -" -m\tdo not restrict mprotect()\n" \ -" -R\trandomize mmap() base [ELF only]\n" \ -" -r\tdo not randomize mmap() base [ELF only]\n" \ -" -X\trandomize ET_EXEC base [ELF only]\n" \ -" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ -" -S\tenforce segmentation based non-executable pages\n" \ -" -s\tdo not enforce segmentation based non-executable pages\n" \ -" -v\tview current flag mask \n" \ -" -z\tzero flag mask (next flags still apply)\n\n" \ -"The flags only have effect when running the patched Linux kernel.\n" - - -void usage(char *name) -{ - printf(USAGE, (name ? name : "chpax")); - exit(1); -} - -unsigned long scan_flags(unsigned long flags, char **argv, int *view) -{ - int index; - - for (index = 1; argv[1][index]; index++) - switch (argv[1][index]) - { - - case 'p': - flags |= HF_PAX_PAGEEXEC; - continue ; - - case 'P': - flags = (flags & ~HF_PAX_PAGEEXEC) | HF_PAX_SEGMEXEC; - continue ; - - case 'E': - flags |= HF_PAX_EMUTRAMP; - continue ; - - case 'e': - flags = (flags & ~HF_PAX_EMUTRAMP); - continue ; - - case 'm': - flags |= HF_PAX_MPROTECT; - continue ; - - case 'M': - flags = (flags & ~HF_PAX_MPROTECT); - continue ; - - case 'r': - flags |= HF_PAX_RANDMMAP; - continue ; - - case 'R': - flags = (flags & ~HF_PAX_RANDMMAP); - continue ; - - case 'X': - flags |= HF_PAX_RANDEXEC; - continue ; - - case 'x': - flags = (flags & ~HF_PAX_RANDEXEC); - continue ; - - case 's': - flags |= HF_PAX_SEGMEXEC; - continue ; - - case 'S': - flags = (flags & ~HF_PAX_SEGMEXEC) | HF_PAX_PAGEEXEC; - continue ; - - case 'v': - *view = 1; - continue ; - - case 'z': - flags = 0; - continue ; - - default: - fprintf(stderr, "Unknown option %c \n", argv[1][index]); - usage(argv[0]); - } - - return (flags); -} - - -int main(int argc, char **argv) -{ - unsigned long flags; - unsigned long aflags; - unsigned int index; - int mode; - char *current; - int error = 0; - int view = 0; - - if (argc < 3 || argv[1][0] != '-') - usage(argv[0]); - - for (index = 2, current = argv[index]; current; current = argv[++index]) - { - - mode = (argc == 3 && !strcmp(argv[1], "-v") ? O_RDONLY : O_RDWR); - - error = read_header(current, mode); - switch (error) - { - case 1: - perror(current); - continue ; - case 2: - fprintf(stderr, "%s: Unknown file type (passed) \n", current); - XCLOSE(fd); - continue ; - case 3: - fprintf(stderr, "%s: Wrong architecture (passed) \n", current); - XCLOSE(fd); - continue ; - } - - aflags = get_flags(); - flags = scan_flags(aflags, argv, &view); - - if (view) - { - printf("\n----[ Current flags for %s ]---- \n\n", current); - print_flags(aflags); - puts(""); - } - - put_flags(flags); - - if (flags != aflags && write_header()) - { - perror(current); - error = 4; - } - - if (error) - fprintf(stderr, "%s : Flags were not updated . \n", current); - else if (view && aflags != flags) - { - printf("\n----[ Updated flags for %s ]---- \n\n", current); - print_flags(flags); - puts(""); - } - - XCLOSE(fd); - } - - return (error); -} diff --git a/sys-apps/gradm/files/gradm-chpax.c b/sys-apps/gradm/files/gradm-chpax.c deleted file mode 100644 index 9dd3dd880e36..000000000000 --- a/sys-apps/gradm/files/gradm-chpax.c +++ /dev/null @@ -1,335 +0,0 @@ -/* - * This program manages various PaX related flags for ELF and a.out binaries. - * The flags only have effect when running the patched Linux kernel. - * - * Written by Solar Designer and placed in the public domain. - * - * Adapted to PaX by the PaX Team - * - * Nov 10 2002 : Added multi{options,files} cmdline, zeroflag, nicer output - * (+ double output if flags are changed and -v is specified), more error - * handling. - * - * Dec 11 2002 : Explicit error messages and return value, even more - * error handling . (-jv) - * - */ -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <fcntl.h> -#include <unistd.h> -#include <linux/elf.h> -#include <linux/a.out.h> - -#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-exec pages */ -#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ -#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ -#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ -#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ -#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-exec pages */ - -#define XCLOSE(fd) \ -do \ -{ \ - if (close(fd)) \ - perror("close"); \ -} \ -while (0) - -static struct elf32_hdr header_elf; -static struct exec header_aout; -static void *header; -static int header_size; -static int fd; - -static unsigned long (*get_flags)(); -static void (*put_flags)(unsigned long); - - -static void print_flags(unsigned long flags) -{ - printf(" * Paging based PAGE_EXEC : %s \n" - " * Trampolines : %s \n" - " * mprotect() : %s \n" - " * mmap() base : %s \n" - " * ET_EXEC base : %s \n" - " * Segmentation based PAGE_EXEC : %s \n", - flags & HF_PAX_PAGEEXEC - ? "disabled" : flags & HF_PAX_SEGMEXEC ? "enabled" : "enabled (overridden)", - flags & HF_PAX_EMUTRAMP - ? "emulated" : "not emulated", - flags & HF_PAX_MPROTECT - ? "not restricted" : "restricted", - flags & HF_PAX_RANDMMAP - ? "not randomized" : "randomized", - flags & HF_PAX_RANDEXEC - ? "randomized" : "not randomized", - flags & HF_PAX_SEGMEXEC - ? "disabled" : "enabled"); -} - -static unsigned long get_flags_elf() -{ - return (header_elf.e_flags); -} - -static void put_flags_elf(unsigned long flags) -{ - header_elf.e_flags = flags; -} - -static unsigned long get_flags_aout() -{ - return (N_FLAGS(header_aout)); -} - -static void put_flags_aout(unsigned long flags) -{ - N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); -} - -static int read_header(char *name, int mode) -{ - char *ptr; - int size; - int block; - - if ((fd = open(name, mode)) < 0) - return 1; - - ptr = (char *) &header_elf; - size = sizeof (header_elf); - - do - { - block = read(fd, ptr, size); - if (block <= 0) - return (block ? 1 : 2); - ptr += block; size -= block; - } - while (size > 0); - - memcpy(&header_aout, &header_elf, sizeof(header_aout)); - - if (!strncmp(header_elf.e_ident, ELFMAG, SELFMAG)) - { - if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) - return 2; - if (header_elf.e_machine != EM_386) - return 3; - header = &header_elf; - header_size = sizeof(header_elf); - get_flags = get_flags_elf; - put_flags = put_flags_elf; - } - - else if (N_MAGIC(header_aout) == NMAGIC || - N_MAGIC(header_aout) == ZMAGIC || - N_MAGIC(header_aout) == QMAGIC) - { - if (N_MACHTYPE(header_aout) != M_386) - return 3; - header = &header_aout; - header_size = 4; - get_flags = get_flags_aout; - put_flags = put_flags_aout; - } - - else - return (2); - - return (0); -} - -int write_header() -{ - char *ptr; - int size; - int block; - - if (lseek(fd, 0, SEEK_SET)) - return 1; - - ptr = (char *) header; - size = header_size; - - do - { - block = write(fd, ptr, size); - if (block <= 0) - break; - ptr += block; - size -= block; - } - while (size > 0); - - return size; -} - - -#define USAGE \ -"Usage: %s OPTIONS FILE1 FILE2 FILEN ...\n" \ -"Manage PaX flags for binaries\n\n" \ -" -P\tenforce paging based non-executable pages\n" \ -" -p\tdo not enforce paging based non-executable pages\n" \ -" -E\temulate trampolines\n" \ -" -e\tdo not emulate trampolines\n" \ -" -M\trestrict mprotect()\n" \ -" -m\tdo not restrict mprotect()\n" \ -" -R\trandomize mmap() base [ELF only]\n" \ -" -r\tdo not randomize mmap() base [ELF only]\n" \ -" -X\trandomize ET_EXEC base [ELF only]\n" \ -" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ -" -S\tenforce segmentation based non-executable pages\n" \ -" -s\tdo not enforce segmentation based non-executable pages\n" \ -" -v\tview current flag mask \n" \ -" -z\tzero flag mask (next flags still apply)\n\n" \ -"The flags only have effect when running the patched Linux kernel.\n" - - -void usage(char *name) -{ - printf(USAGE, (name ? name : "chpax")); - exit(1); -} - -unsigned long scan_flags(unsigned long flags, char **argv, int *view) -{ - int index; - - for (index = 1; argv[1][index]; index++) - switch (argv[1][index]) - { - - case 'p': - flags |= HF_PAX_PAGEEXEC; - continue ; - - case 'P': - flags = (flags & ~HF_PAX_PAGEEXEC) | HF_PAX_SEGMEXEC; - continue ; - - case 'E': - flags |= HF_PAX_EMUTRAMP; - continue ; - - case 'e': - flags = (flags & ~HF_PAX_EMUTRAMP); - continue ; - - case 'm': - flags |= HF_PAX_MPROTECT; - continue ; - - case 'M': - flags = (flags & ~HF_PAX_MPROTECT); - continue ; - - case 'r': - flags |= HF_PAX_RANDMMAP; - continue ; - - case 'R': - flags = (flags & ~HF_PAX_RANDMMAP); - continue ; - - case 'X': - flags |= HF_PAX_RANDEXEC; - continue ; - - case 'x': - flags = (flags & ~HF_PAX_RANDEXEC); - continue ; - - case 's': - flags |= HF_PAX_SEGMEXEC; - continue ; - - case 'S': - flags = (flags & ~HF_PAX_SEGMEXEC) | HF_PAX_PAGEEXEC; - continue ; - - case 'v': - *view = 1; - continue ; - - case 'z': - flags = 0; - continue ; - - default: - fprintf(stderr, "Unknown option %c \n", argv[1][index]); - usage(argv[0]); - } - - return (flags); -} - - -int main(int argc, char **argv) -{ - unsigned long flags; - unsigned long aflags; - unsigned int index; - int mode; - char *current; - int error = 0; - int view = 0; - - if (argc < 3 || argv[1][0] != '-') - usage(argv[0]); - - for (index = 2, current = argv[index]; current; current = argv[++index]) - { - - mode = (argc == 3 && !strcmp(argv[1], "-v") ? O_RDONLY : O_RDWR); - - error = read_header(current, mode); - switch (error) - { - case 1: - perror(current); - continue ; - case 2: - fprintf(stderr, "%s: Unknown file type (passed) \n", current); - XCLOSE(fd); - continue ; - case 3: - fprintf(stderr, "%s: Wrong architecture (passed) \n", current); - XCLOSE(fd); - continue ; - } - - aflags = get_flags(); - flags = scan_flags(aflags, argv, &view); - - if (view) - { - printf("\n----[ Current flags for %s ]---- \n\n", current); - print_flags(aflags); - puts(""); - } - - put_flags(flags); - - if (flags != aflags && write_header()) - { - perror(current); - error = 4; - } - - if (error) - fprintf(stderr, "%s : Flags were not updated . \n", current); - else if (view && aflags != flags) - { - printf("\n----[ Updated flags for %s ]---- \n\n", current); - print_flags(flags); - puts(""); - } - - XCLOSE(fd); - } - - return (error); -} diff --git a/sys-apps/gradm/files/gradm_parse.c-1.9.x.patch b/sys-apps/gradm/files/gradm_parse.c-1.9.x.patch new file mode 100644 index 000000000000..7281e7b6c248 --- /dev/null +++ b/sys-apps/gradm/files/gradm_parse.c-1.9.x.patch @@ -0,0 +1,13 @@ +--- gradm_parse.c 2003-05-13 01:41:26.000000000 -0400 ++++ gradm_parse_gentoo.c 2003-05-13 01:51:17.000000000 -0400 +@@ -677,8 +677,8 @@ + n = scandir(dir, &namelist, 0, alphasort); + if (n >= 0) { + while (n--) { +- if (strcmp(namelist[n]->d_name, ".") +- && strcmp(namelist[n]->d_name, "..")) { ++ /* ignore files and directorys that start with . */ ++ if (namelist[n]->d_name[0] != '.') { + memset(&path, 0, sizeof (path)); + snprintf(path, PATH_MAX - 1, "%s/%s", + dir, namelist[n]->d_name); diff --git a/sys-apps/gradm/files/grsecurity b/sys-apps/gradm/files/grsecurity index 88858b57ba75..2352dfbe21bd 100644 --- a/sys-apps/gradm/files/grsecurity +++ b/sys-apps/gradm/files/grsecurity @@ -13,6 +13,9 @@ MPROTECT_EXEMPT="" # Files we should not randomize mmap for MMAP_EXEMPT="" +# Files not to enforce segmentation based non-executable pages +SEGMENTATION_EXEMPT="${PAGE_EXEC_EXEMPT}" + # # Check your running kernel for valid options. # "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'" diff --git a/sys-apps/gradm/files/grsecurity.rc b/sys-apps/gradm/files/grsecurity.rc index 0baee1e32644..b4a9ed4303ff 100644 --- a/sys-apps/gradm/files/grsecurity.rc +++ b/sys-apps/gradm/files/grsecurity.rc @@ -1,7 +1,7 @@ #!/sbin/runscript # Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.6 2003/05/17 02:33:34 method Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/gradm/files/grsecurity.rc,v 1.7 2003/06/16 18:37:01 solar Exp $ PROCDIR=/proc/sys/kernel/grsecurity @@ -21,13 +21,12 @@ start() { ebegin "Starting grsecurity" - for x in ${ENABLED} ; do - if [ -f ${PROCDIR}/${x} ]; then - echo 1 >${PROCDIR}/${x} - fi + for x in ${ENABLED}; do + # [ -f ${PROCDIR}/${x} ] && continue + # einfo "\tEnabling kernel.grsecurity.${x}" case "${x}" in allow_ptrace_group) - echo ${ptrace_gid} >${PROCDIR}/ptrace_gid + echo ${ptrace_gid} > ${PROCDIR}/ptrace_gid ;; fork_bomb_prot) echo ${fork_bomb_gid} >${PROCDIR}/fork_bomb_gid @@ -43,36 +42,33 @@ start() { socket_server) echo ${socket_server_gid} >${PROCDIR}/socket_server_gid ;; + *) + [ -f ${PROCDIR}/${x} ] && echo 1 >${PROCDIR}/${x} + ;; esac done for x in ${PAGE_EXEC_EXEMPT} ; do - if [ -f ${x} ]; then - /sbin/chpax -p ${x} - fi + [ -f ${x} ] && /sbin/chpax -p ${x} done for x in ${TRAMPOLINE_EXEMPT} ; do - if [ -f ${x} ]; then - /sbin/chpax -e ${x} - fi + [ -f ${x} ] && /sbin/chpax -e ${x} done for x in ${MPROTECT_EXEMPT} ; do - if [ -f ${x} ]; then - /sbin/chpax -m ${x} - fi + [ -f ${x} ] && /sbin/chpax -m ${x} done for x in ${MMAP_EXEMPT} ; do - if [ -f ${x} ]; then - /sbin/chpax -r ${x} - fi + [ -f ${x} ] && /sbin/chpax -r ${x} done - if [ -f ${PROCDIR}/grsec_lock ] ; then - echo ${LOCK} >${PROCDIR}/grsec_lock - fi + for x in ${SEGMENTATION_EXEMPT} ; do + [ -f ${x} ] && /sbin/chpax -s ${x} + done + + [ -f ${PROCDIR}/grsec_lock ] && echo ${LOCK} >${PROCDIR}/grsec_lock eend ${?} } |