Updated chpax/paxctl init/conf scripts. Submitted by John Richard Moser. bug #40665

author: Ned Ludd <solar@gentoo.org> 2004-06-06 21:32:28 +0000
committer: Ned Ludd <solar@gentoo.org> 2004-06-06 21:32:28 +0000
commit: 52574d99795d1c2cebfcb483a577a12fe441ca9a (patch)
tree: fcc7df62a96a86ea8970ba18e023ff340ff7066a /sys-apps/chpax/files
parent: stable on amd64 (Manifest recommit) (diff)
download: gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.tar.gz
gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.tar.bz2
gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.zip
2 files changed, 76 insertions, 40 deletions
diff --git a/sys-apps/chpax/files/pax-conf.d b/sys-apps/chpax/files/pax-conf.d
index 0a9527b02328..48c0e9196e34 100644
--- a/sys-apps/chpax/files/pax-conf.d
+++ b/sys-apps/chpax/files/pax-conf.d
@@ -1,5 +1,5 @@
 ####################################################################
-#         Copyright 1999-2004 Gentoo Technologies, Inc.            #
+#         Copyright 1999-2003 Gentoo Technologies, Inc.            #
 # Distributed under the terms of the GNU General Public License v2 #
 ####################################################################
 # chpax	prefix	description
@@ -10,33 +10,48 @@
 # s	SE	do not enforce segmentation based non-executable pages
 # x	XE	do not randomize ET_EXEC base [ELF only]
 
-CHPAX=/sbin/chpax
-#CHPAX=/sbin/paxctl
+# NOTE:  PS_EXEC_EXEMPT is {PAGE,SEGM}_EXEC_EXEMPT.  For executables
+# with BOTH, you should use this, as it enables -e and -m, to make
+# sure that pax doesn't cry about odd flag settings in softmode
 
-PE_wine=/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}
-PE_blkdwn_java=/opt/blackdown-{jdk-*/{,jre/},jre-*/}bin/{java{_vm},keytool,kinit,klist,ktab,orbd,policytool,rmi{d,registry},servertool,tnameserv}
-PE_openoffice=/opt/OpenOffice.org*/program/soffice.bin
+# "blkdwn_java" would be blackdown-jdk or blackdown-jre
 
-PE_misc="/usr/X11R6/bin/XFree86 /usr/bin/xmms /usr/bin/mplayer /usr/bin/blender \
-	/usr/bin/gxine /usr/bin/xine /usr/bin/totem /usr/bin/acme \
-	/usr/bin/xfce4-panel /usr/bin/gnome-sound-recorder /usr/games/bin/bzflag"
+# chpax command.  If using multiple tools, can separate by spaces.
+# This one hits BOTH chpax and paxctl
+CHPAX="/sbin/chpax /sbin/paxctl"
+#CHPAX="/sbin/paxctl"
+#CHPAX="/sbin/chpax"
+
+# yes to be annoyed
+VERBOSE="no"
+
+PSE_wine=/usr/lib/wine/bin/{wine{,build,clipsrv,dump,gcc,server,wrap,-{k,p}thread},w{mc,rc,idl}}
+PSE_blkdwn_java=/opt/blackdown-{jdk-*/{,jre/},jre-*/}bin/{java{,_vm,c},keytool,kinit,klist,ktab,orbd,policytool,rmi{d,registry},servertool,tnameserv}
+PSE_openoffice=/opt/OpenOffice.org*/program/soffice.bin
+PSE_misc="/usr/X11R6/bin/XFree86 /usr/bin/xmms /usr/bin/{,g}mplayer \
+ /usr/bin/blender /usr/bin/gxine /usr/bin/xine /usr/bin/totem /usr/bin/acme \
+ /usr/bin/gnome-sound-recorder /usr/games/bin/bzflag /usr/bin/xfce4-panel"
+
+RE_blkdwn_java="${SPE_blkdwn_java} /usr/X11R6/bin/XFree86"
+
+ME_blkdwn_java="${PSE_blkdwn_java}"
+# or plug-ins don't work
+ME_misc=/usr/lib/MozillaFirefox/firefox{,-bin}
+
+XE_blkdwn_java="${PSE_blkdwn_java} /usr/X11R6/bin/XFree86"
 
-RE_blkdwn_java="${PE_blkdwn_java}"
-RE_wine="${PE_wine}"
-ME_blkdwn_java="${PE_blkdwn_java}"
-XE_blkdwn_java="${PE_blkdwn_java}"
-XE_wine="${RE_wine}"
 
 ####################################
 # Settings are really applied here #
 ####################################
 
-PAGEEXEC_EXEMPT="${PE_misc} ${PE_wine} ${PE_blkdwn_java} ${PE_gnome} ${PE_openoffice}"
+PS_EXEC_EXEMPT="${PSE_misc} ${PSE_wine} ${PSE_blkdwn_java} ${PSE_openoffice}"
+PAGEEXEC_EXEMPT=""
 TRAMPOLINE_EXEMPT=""
-MPROTECT_EXEMPT="${ME_blkdwn_java}"
-RANDMMAP_EXEMPT="${RE_wine}"
+MPROTECT_EXEMPT="${ME_blkdwn_java} ${ME_misc}"
+RANDMMAP_EXEMPT="${RE_blkdwn_java}"
 SEGMEXEC_EXEMPT="${PAGEEXEC_EXEMPT}"
-RANDEXEC_EXEMPT="${XE_blkdwn_java} ${XE_wine}"
+RANDEXEC_EXEMPT="${XE_blkdwn_java}"
 
 # when zero flag mask is set to "yes" it will remove all pax flags from all files on reboot/stop
-ZERO_FLAG_MASK=no
+ZERO_FLAG_MASK="yes"
diff --git a/sys-apps/chpax/files/pax-init.d b/sys-apps/chpax/files/pax-init.d
index baf31eea5441..412acccee334 100644
--- a/sys-apps/chpax/files/pax-init.d
+++ b/sys-apps/chpax/files/pax-init.d
@@ -8,22 +8,37 @@ depend() {
 
 checkconfig() {
 	if [ "x$CHPAX" = "x" ]; then
-		#CHPAX=/sbin/paxctl
-		CHPAX=/sbin/chpax
+		CHPAX="/sbin/chpax /sbin/paxctl"
 	fi
-	$CHPAX -v $CHPAX >/dev/null 2>&1 || return 1
+	# Find non-existant chpaxes
+	REALCHPAX=""
+	for i in $CHPAX; do
+		REALCHPAX="$REALCHPAX`$i -v $i >/dev/null 2>&1 && echo \ $i`"
+	done
+	if [ "x$REALCHPAX" = "x" ]; then
+		eerror "error:  none of the specified chpax commands exist!"
+		return 1
+	fi
+	CHPAX="$REALCHPAX"
 }
 
 chpax_flag() {
 	flag=$1
 	fname=$2
 
-	#einfo "chpax -$flag ${fname}"
-	if [ -w ${fname} ]; then
-		einfo "$CHPAX -$flag ${fname}"
-		$CHPAX -$flag ${fname}
-		[ $? != 0 ] && eerror "error: $CHPAX -$flag ${fname}"
-	fi
+	#if [ -w ${fname} ]; then
+		#einfo "-${flag} flagging ${fname}"
+		for i in $CHPAX; do
+			#einfo "    with $i"
+			# nonverbose is ultraquiet
+			if [ "$VERBOSE" = "yes" ]; then
+				$i -$flag ${fname}
+				[ $? != 0 ] && eerror "error: $i -$flag ${fname}"
+			else
+				$i -$flag ${fname} 2>/dev/null >/dev/null
+			fi
+		done
+	#fi
 }
 
 fix_exempts() {
@@ -33,6 +48,7 @@ fix_exempts() {
 	RANDMMAP_EXEMPT=`eval echo $RANDMMAP_EXEMPT`
 	MPROTECT_EXEMPT=`eval echo $MPROTECT_EXEMPT`
 	SEGMEXEC_EXEMPT=`eval echo $SEGMEXEC_EXEMPT`
+	PS_EXEC_EXEMPT=`eval echo $PS_EXEC_EXEMPT`
 	RANDEXEC_EXEMPT=`eval echo $RANDEXEC_EXEMPT`
 }
 
@@ -41,13 +57,16 @@ start() {
 
 	fix_exempts
 
-	for p in $PAGEEXEC_EXEMPT; do chpax_flag p ${p} ;done
-	for e in $TRAMPOLINE_EXEMPT; do chpax_flag e ${e} ;done
-	for r in $RANDMMAP_EXEMPT; do chpax_flag r ${r} ;done
-	for m in $MPROTECT_EXEMPT; do chpax_flag m ${m} ;done
-	for s in $SEGMEXEC_EXEMPT; do chpax_flag s ${s} ;done
-	for x in $RANDEXEC_EXEMPT; do chpax_flag x ${x} ;done
+	ebegin "Setting PaX flags on binaries"
+	for e in $TRAMPOLINE_EXEMPT; do chpax_flag e ${e}    ;done
+	for r in $RANDMMAP_EXEMPT;   do chpax_flag r ${r}    ;done
+	for m in $MPROTECT_EXEMPT;   do chpax_flag m ${m}    ;done
+	for p in $PAGEEXEC_EXEMPT;   do chpax_flag p ${p}    ;done
+	for s in $SEGMEXEC_EXEMPT;   do chpax_flag s ${s}    ;done
+	for s in $PS_EXEC_EXEMPT;    do chpax_flag psem ${s} ;done
+	for x in $RANDEXEC_EXEMPT;   do chpax_flag x ${x}    ;done
 
+	eend
 	return 0
 }
 
@@ -57,13 +76,15 @@ stop() {
 	[ "$ZERO_FLAG_MASK" = "yes" ] || return 0
 	fix_exempts
 	einfo "chpax zero flag masking"
-	for p in $PAGEEXEC_EXEMPT; do chpax_flag z ${p} ;done
-	for e in $TRAMPOLINE_EXEMPT; do chpax_flag z ${e} ;done
-	for r in $RANDMMAP_EXEMPT; do chpax_flag z ${r} ;done
-	for m in $MPROTECT_EXEMPT; do chpax_flag z ${m} ;done
-	for s in $SEGMEXEC_EXEMPT; do chpax_flag z ${s} ;done
-	for x in $RANDEXEC_EXEMPT; do chpax_flag z ${x} ;done
+	for p in $PAGEEXEC_EXEMPT;   do chpax_flag ze ${p} ;done
+	for e in $TRAMPOLINE_EXEMPT; do chpax_flag ze ${e} ;done
+	for r in $RANDMMAP_EXEMPT;   do chpax_flag ze ${r} ;done
+	for m in $MPROTECT_EXEMPT;   do chpax_flag ze ${m} ;done
+	for s in $SEGMEXEC_EXEMPT;   do chpax_flag ze ${s} ;done
+	for s in $PS_EXEC_EXEMPT;    do chpax_flag ze ${s} ;done
+	for x in $RANDEXEC_EXEMPT;   do chpax_flag ze ${x} ;done
 
 	return 0
 }
 
+
author	Ned Ludd <solar@gentoo.org>	2004-06-06 21:32:28 +0000
committer	Ned Ludd <solar@gentoo.org>	2004-06-06 21:32:28 +0000
commit	52574d99795d1c2cebfcb483a577a12fe441ca9a (patch)
tree	fcc7df62a96a86ea8970ba18e023ff340ff7066a /sys-apps/chpax/files
parent	stable on amd64 (Manifest recommit) (diff)
download	gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.tar.gz gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.tar.bz2 gentoo-2-52574d99795d1c2cebfcb483a577a12fe441ca9a.zip