Import mini-framework for paxctl(8) on NetBSD/{amd64,i386} This allows setting flags for PaX on select binaries. Two new variables are introduced for packages: NOT_PAX_ASLR_SAFE and NOT_PAX_MPROTECT_SAFE. They both expect a list of binaries are known to not support PaX ASLR and/or PaX MPROTECT, respectively. "Please commit" wiz@diff -r1.2018 -r1.2019 pkgsrc/mk/bsd.pkg.mk
(khorben)
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: bsd.pkg.mk,v 1.2018 2016/03/23 11:50:01 jperkin Exp $ | 1 | # $NetBSD: bsd.pkg.mk,v 1.2019 2016/05/26 16:03:04 khorben Exp $ | |
2 | # | 2 | # | |
3 | # This file is in the public domain. | 3 | # This file is in the public domain. | |
4 | # | 4 | # | |
5 | # Please see the pkgsrc/doc/guide manual for details on the | 5 | # Please see the pkgsrc/doc/guide manual for details on the | |
6 | # variables used in this make file template. | 6 | # variables used in this make file template. | |
7 | # | 7 | # | |
8 | # Default sequence for "all" is: | 8 | # Default sequence for "all" is: | |
9 | # | 9 | # | |
10 | # bootstrap-depends | 10 | # bootstrap-depends | |
11 | # fetch | 11 | # fetch | |
12 | # checksum | 12 | # checksum | |
13 | # depends | 13 | # depends | |
14 | # tools | 14 | # tools | |
@@ -668,26 +668,30 @@ lint: | @@ -668,26 +668,30 @@ lint: | |||
668 | # List of flags to pass to pkg_add(1) for bin-install: | 668 | # List of flags to pass to pkg_add(1) for bin-install: | |
669 | 669 | |||
670 | BIN_INSTALL_FLAGS?= # -v | 670 | BIN_INSTALL_FLAGS?= # -v | |
671 | _BIN_INSTALL_FLAGS= ${BIN_INSTALL_FLAGS} | 671 | _BIN_INSTALL_FLAGS= ${BIN_INSTALL_FLAGS} | |
672 | .if defined(_AUTOMATIC) && !empty(_AUTOMATIC:M[Yy][Ee][Ss]) | 672 | .if defined(_AUTOMATIC) && !empty(_AUTOMATIC:M[Yy][Ee][Ss]) | |
673 | _BIN_INSTALL_FLAGS+= -A | 673 | _BIN_INSTALL_FLAGS+= -A | |
674 | .endif | 674 | .endif | |
675 | _BIN_INSTALL_FLAGS+= ${PKG_ARGS_ADD} | 675 | _BIN_INSTALL_FLAGS+= ${PKG_ARGS_ADD} | |
676 | 676 | |||
677 | _SHORT_UNAME_R= ${:!${UNAME} -r!:C@\.([0-9]*)[_.-].*@.\1@} # n.n[_.]anything => n.n | 677 | _SHORT_UNAME_R= ${:!${UNAME} -r!:C@\.([0-9]*)[_.-].*@.\1@} # n.n[_.]anything => n.n | |
678 | 678 | |||
679 | .include "install/bin-install.mk" | 679 | .include "install/bin-install.mk" | |
680 | 680 | |||
681 | # Handle PaX flags | |||
682 | # | |||
683 | .include "pax.mk" | |||
684 | ||||
681 | .PHONY: show-pkgtools-version | 685 | .PHONY: show-pkgtools-version | |
682 | .if !target(show-pkgtools-version) | 686 | .if !target(show-pkgtools-version) | |
683 | show-pkgtools-version: | 687 | show-pkgtools-version: | |
684 | @${ECHO} ${PKGTOOLS_VERSION} | 688 | @${ECHO} ${PKGTOOLS_VERSION} | |
685 | .endif | 689 | .endif | |
686 | 690 | |||
687 | # convenience target, to display make variables from command line | 691 | # convenience target, to display make variables from command line | |
688 | # i.e. "make show-var VARNAME=var", will print var's value | 692 | # i.e. "make show-var VARNAME=var", will print var's value | |
689 | # | 693 | # | |
690 | # See also: | 694 | # See also: | |
691 | # show-vars, show-subdir-var | 695 | # show-vars, show-subdir-var | |
692 | # | 696 | # | |
693 | .PHONY: show-var | 697 | .PHONY: show-var |
# $NetBSD: pax.mk,v 1.1 2016/05/26 16:03:04 khorben Exp $
#
# Infrastructure support for binaries known to fail with PaX enabled.
#
# User-settable variables:
# PAXCTL
# The path to the paxctl(8) binary
#
# Package-settable variables:
#
# NOT_PAX_ASLR_SAFE
# The list of binaries which do not support PaX ASLR.
#
# NOT_PAX_MPROTECT_SAFE
# The list of binaries which do not support PaX MPROTECT.
.if !defined(PAX_MK)
. if defined(TOOLS_PLATFORM.paxctl)
PAXCTL= ${TOOLS_PLATFORM.paxctl}
. if !empty(NOT_PAX_ASLR_SAFE)
_INSTALL_ALL_TARGETS+= post-install-pax-aslr-binaries
.PHONY: post-install-pax-aslr-binaries
post-install: post-install-pax-aslr-binaries
post-install-pax-aslr-binaries:
@${STEP_MSG} "Setting PaX ASLR flags"
${RUN} \
for binary in ${NOT_PAX_ASLR_SAFE}; do \
${PAXCTL} +a ${DESTDIR}${PREFIX}/$$binary; \
done
. endif
. if !empty(NOT_PAX_MPROTECT_SAFE)
_INSTALL_ALL_TARGETS+= post-install-pax-mprotect-binaries
.PHONY: post-install-pax-mprotect-binaries
post-install: post-install-pax-mprotect-binaries
post-install-pax-mprotect-binaries:
@${STEP_MSG} "Setting PaX MPROTECT flags"
${RUN} \
for binary in ${NOT_PAX_MPROTECT_SAFE}; do \
${PAXCTL} +m ${DESTDIR}${PREFIX}/$$binary; \
done
. endif
. endif
.endif
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: tools.NetBSD.mk,v 1.57 2015/09/08 11:36:34 jperkin Exp $ | 1 | # $NetBSD: tools.NetBSD.mk,v 1.58 2016/05/26 16:03:04 khorben Exp $ | |
2 | # | 2 | # | |
3 | # System-supplied tools for the NetBSD operating system. | 3 | # System-supplied tools for the NetBSD operating system. | |
4 | 4 | |||
5 | TOOLS_PLATFORM.[?= [ # shell builtin | 5 | TOOLS_PLATFORM.[?= [ # shell builtin | |
6 | TOOLS_PLATFORM.awk?= /usr/bin/awk | 6 | TOOLS_PLATFORM.awk?= /usr/bin/awk | |
7 | TOOLS_PLATFORM.basename?= /usr/bin/basename | 7 | TOOLS_PLATFORM.basename?= /usr/bin/basename | |
8 | TOOLS_PLATFORM.byacc?= /usr/bin/yacc | 8 | TOOLS_PLATFORM.byacc?= /usr/bin/yacc | |
9 | .if exists(/usr/bin/bzcat) | 9 | .if exists(/usr/bin/bzcat) | |
10 | TOOLS_PLATFORM.bzcat?= /usr/bin/bzcat | 10 | TOOLS_PLATFORM.bzcat?= /usr/bin/bzcat | |
11 | .endif | 11 | .endif | |
12 | TOOLS_PLATFORM.bzip2?= /usr/bin/bzip2 | 12 | TOOLS_PLATFORM.bzip2?= /usr/bin/bzip2 | |
13 | TOOLS_PLATFORM.cat?= /bin/cat | 13 | TOOLS_PLATFORM.cat?= /bin/cat | |
14 | TOOLS_PLATFORM.chgrp?= /usr/bin/chgrp | 14 | TOOLS_PLATFORM.chgrp?= /usr/bin/chgrp | |
@@ -73,26 +73,30 @@ TOOLS_PLATFORM.msgconv?= /usr/bin/msgcon | @@ -73,26 +73,30 @@ TOOLS_PLATFORM.msgconv?= /usr/bin/msgcon | |||
73 | .if exists(/usr/bin/msgfmt) | 73 | .if exists(/usr/bin/msgfmt) | |
74 | TOOLS_PLATFORM.msgfmt?= /usr/bin/msgfmt | 74 | TOOLS_PLATFORM.msgfmt?= /usr/bin/msgfmt | |
75 | .endif | 75 | .endif | |
76 | .if exists(/usr/bin/msgmerge) | 76 | .if exists(/usr/bin/msgmerge) | |
77 | TOOLS_PLATFORM.msgmerge?= /usr/bin/msgmerge | 77 | TOOLS_PLATFORM.msgmerge?= /usr/bin/msgmerge | |
78 | .endif | 78 | .endif | |
79 | TOOLS_PLATFORM.mtree?= /usr/sbin/mtree | 79 | TOOLS_PLATFORM.mtree?= /usr/sbin/mtree | |
80 | TOOLS_PLATFORM.mv?= /bin/mv | 80 | TOOLS_PLATFORM.mv?= /bin/mv | |
81 | TOOLS_PLATFORM.nice?= /usr/bin/nice | 81 | TOOLS_PLATFORM.nice?= /usr/bin/nice | |
82 | TOOLS_PLATFORM.nroff?= /usr/bin/nroff | 82 | TOOLS_PLATFORM.nroff?= /usr/bin/nroff | |
83 | TOOLS_PLATFORM.openssl?= /usr/bin/openssl | 83 | TOOLS_PLATFORM.openssl?= /usr/bin/openssl | |
84 | TOOLS_PLATFORM.patch?= /usr/bin/patch | 84 | TOOLS_PLATFORM.patch?= /usr/bin/patch | |
85 | TOOLS_PLATFORM.pax?= /bin/pax | 85 | TOOLS_PLATFORM.pax?= /bin/pax | |
86 | .if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \ | |||
87 | empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64) | |||
88 | TOOLS_PLATFORM.paxctl?= /usr/sbin/paxctl | |||
89 | .endif | |||
86 | TOOLS_PLATFORM.printf?= /usr/bin/printf | 90 | TOOLS_PLATFORM.printf?= /usr/bin/printf | |
87 | TOOLS_PLATFORM.pwd?= /bin/pwd | 91 | TOOLS_PLATFORM.pwd?= /bin/pwd | |
88 | .if empty(USE_CROSS_COMPILE:M[yY][eE][sS]) | 92 | .if empty(USE_CROSS_COMPILE:M[yY][eE][sS]) | |
89 | TOOLS_PLATFORM.readelf?= /usr/bin/readelf | 93 | TOOLS_PLATFORM.readelf?= /usr/bin/readelf | |
90 | .else | 94 | .else | |
91 | TOOLS_PLATFORM.readelf?= ${TOOLDIR}/bin/${MACHINE_GNU_PLATFORM}-readelf | 95 | TOOLS_PLATFORM.readelf?= ${TOOLDIR}/bin/${MACHINE_GNU_PLATFORM}-readelf | |
92 | .endif | 96 | .endif | |
93 | TOOLS_PLATFORM.readlink?= /usr/bin/readlink | 97 | TOOLS_PLATFORM.readlink?= /usr/bin/readlink | |
94 | TOOLS_PLATFORM.rm?= /bin/rm | 98 | TOOLS_PLATFORM.rm?= /bin/rm | |
95 | TOOLS_PLATFORM.rmdir?= /bin/rmdir | 99 | TOOLS_PLATFORM.rmdir?= /bin/rmdir | |
96 | TOOLS_PLATFORM.sdiff?= /usr/bin/sdiff | 100 | TOOLS_PLATFORM.sdiff?= /usr/bin/sdiff | |
97 | TOOLS_PLATFORM.sed?= /usr/bin/sed | 101 | TOOLS_PLATFORM.sed?= /usr/bin/sed | |
98 | TOOLS_PLATFORM.sh?= /bin/sh | 102 | TOOLS_PLATFORM.sh?= /bin/sh |