Thu May 26 16:03:04 2016 UTC ()
Import mini-framework for paxctl(8) on NetBSD/{amd64,i386}

This allows setting flags for PaX on select binaries. Two new variables
are introduced for packages: NOT_PAX_ASLR_SAFE and NOT_PAX_MPROTECT_SAFE.
They both expect a list of binaries are known to not support PaX ASLR
and/or PaX MPROTECT, respectively.

"Please commit" wiz@


(khorben)
diff -r1.2018 -r1.2019 pkgsrc/mk/bsd.pkg.mk
diff -r0 -r1.1 pkgsrc/mk/pax.mk
diff -r1.57 -r1.58 pkgsrc/mk/tools/tools.NetBSD.mk
cvs diff -r1.2018 -r1.2019 pkgsrc/mk/bsd.pkg.mk (expand / switch to unified diff)

--- pkgsrc/mk/bsd.pkg.mk 2016/03/23 11:50:01 1.2018
+++ pkgsrc/mk/bsd.pkg.mk 2016/05/26 16:03:04 1.2019
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: bsd.pkg.mk,v 1.2018 2016/03/23 11:50:01 jperkin Exp $ 1# $NetBSD: bsd.pkg.mk,v 1.2019 2016/05/26 16:03:04 khorben Exp $
2# 2#
3# This file is in the public domain. 3# This file is in the public domain.
4# 4#
5# Please see the pkgsrc/doc/guide manual for details on the 5# Please see the pkgsrc/doc/guide manual for details on the
6# variables used in this make file template. 6# variables used in this make file template.
7# 7#
8# Default sequence for "all" is: 8# Default sequence for "all" is:
9# 9#
10# bootstrap-depends 10# bootstrap-depends
11# fetch 11# fetch
12# checksum 12# checksum
13# depends 13# depends
14# tools 14# tools
@@ -668,26 +668,30 @@ lint: @@ -668,26 +668,30 @@ lint:
668# List of flags to pass to pkg_add(1) for bin-install: 668# List of flags to pass to pkg_add(1) for bin-install:
669 669
670BIN_INSTALL_FLAGS?= # -v 670BIN_INSTALL_FLAGS?= # -v
671_BIN_INSTALL_FLAGS= ${BIN_INSTALL_FLAGS} 671_BIN_INSTALL_FLAGS= ${BIN_INSTALL_FLAGS}
672.if defined(_AUTOMATIC) && !empty(_AUTOMATIC:M[Yy][Ee][Ss]) 672.if defined(_AUTOMATIC) && !empty(_AUTOMATIC:M[Yy][Ee][Ss])
673_BIN_INSTALL_FLAGS+= -A 673_BIN_INSTALL_FLAGS+= -A
674.endif 674.endif
675_BIN_INSTALL_FLAGS+= ${PKG_ARGS_ADD} 675_BIN_INSTALL_FLAGS+= ${PKG_ARGS_ADD}
676 676
677_SHORT_UNAME_R= ${:!${UNAME} -r!:C@\.([0-9]*)[_.-].*@.\1@} # n.n[_.]anything => n.n 677_SHORT_UNAME_R= ${:!${UNAME} -r!:C@\.([0-9]*)[_.-].*@.\1@} # n.n[_.]anything => n.n
678 678
679.include "install/bin-install.mk" 679.include "install/bin-install.mk"
680 680
 681# Handle PaX flags
 682#
 683.include "pax.mk"
 684
681.PHONY: show-pkgtools-version 685.PHONY: show-pkgtools-version
682.if !target(show-pkgtools-version) 686.if !target(show-pkgtools-version)
683show-pkgtools-version: 687show-pkgtools-version:
684 @${ECHO} ${PKGTOOLS_VERSION} 688 @${ECHO} ${PKGTOOLS_VERSION}
685.endif 689.endif
686 690
687# convenience target, to display make variables from command line 691# convenience target, to display make variables from command line
688# i.e. "make show-var VARNAME=var", will print var's value 692# i.e. "make show-var VARNAME=var", will print var's value
689# 693#
690# See also: 694# See also:
691# show-vars, show-subdir-var 695# show-vars, show-subdir-var
692# 696#
693.PHONY: show-var 697.PHONY: show-var
File Added: pkgsrc/mk/pax.mk
# $NetBSD: pax.mk,v 1.1 2016/05/26 16:03:04 khorben Exp $
#
# Infrastructure support for binaries known to fail with PaX enabled.
#
# User-settable variables:
# PAXCTL
#	The path to the paxctl(8) binary
#
# Package-settable variables:
#
# NOT_PAX_ASLR_SAFE
#	The list of binaries which do not support PaX ASLR.
#
# NOT_PAX_MPROTECT_SAFE
#	The list of binaries which do not support PaX MPROTECT.

.if !defined(PAX_MK)

. if defined(TOOLS_PLATFORM.paxctl)
PAXCTL=	${TOOLS_PLATFORM.paxctl}
.  if !empty(NOT_PAX_ASLR_SAFE)
_INSTALL_ALL_TARGETS+=		post-install-pax-aslr-binaries

.PHONY: post-install-pax-aslr-binaries
post-install: post-install-pax-aslr-binaries
post-install-pax-aslr-binaries:
	@${STEP_MSG} "Setting PaX ASLR flags"
	${RUN}								\
	for binary in ${NOT_PAX_ASLR_SAFE}; do				\
		${PAXCTL} +a ${DESTDIR}${PREFIX}/$$binary;		\
	done
.  endif

.  if !empty(NOT_PAX_MPROTECT_SAFE)
_INSTALL_ALL_TARGETS+=		post-install-pax-mprotect-binaries

.PHONY: post-install-pax-mprotect-binaries
post-install: post-install-pax-mprotect-binaries
post-install-pax-mprotect-binaries:
	@${STEP_MSG} "Setting PaX MPROTECT flags"
	${RUN}								\
	for binary in ${NOT_PAX_MPROTECT_SAFE}; do			\
		${PAXCTL} +m ${DESTDIR}${PREFIX}/$$binary;		\
	done
.  endif
. endif

.endif
cvs diff -r1.57 -r1.58 pkgsrc/mk/tools/tools.NetBSD.mk (expand / switch to unified diff)

--- pkgsrc/mk/tools/tools.NetBSD.mk 2015/09/08 11:36:34 1.57
+++ pkgsrc/mk/tools/tools.NetBSD.mk 2016/05/26 16:03:04 1.58
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: tools.NetBSD.mk,v 1.57 2015/09/08 11:36:34 jperkin Exp $ 1# $NetBSD: tools.NetBSD.mk,v 1.58 2016/05/26 16:03:04 khorben Exp $
2# 2#
3# System-supplied tools for the NetBSD operating system. 3# System-supplied tools for the NetBSD operating system.
4 4
5TOOLS_PLATFORM.[?= [ # shell builtin 5TOOLS_PLATFORM.[?= [ # shell builtin
6TOOLS_PLATFORM.awk?= /usr/bin/awk 6TOOLS_PLATFORM.awk?= /usr/bin/awk
7TOOLS_PLATFORM.basename?= /usr/bin/basename 7TOOLS_PLATFORM.basename?= /usr/bin/basename
8TOOLS_PLATFORM.byacc?= /usr/bin/yacc 8TOOLS_PLATFORM.byacc?= /usr/bin/yacc
9.if exists(/usr/bin/bzcat) 9.if exists(/usr/bin/bzcat)
10TOOLS_PLATFORM.bzcat?= /usr/bin/bzcat 10TOOLS_PLATFORM.bzcat?= /usr/bin/bzcat
11.endif 11.endif
12TOOLS_PLATFORM.bzip2?= /usr/bin/bzip2 12TOOLS_PLATFORM.bzip2?= /usr/bin/bzip2
13TOOLS_PLATFORM.cat?= /bin/cat 13TOOLS_PLATFORM.cat?= /bin/cat
14TOOLS_PLATFORM.chgrp?= /usr/bin/chgrp 14TOOLS_PLATFORM.chgrp?= /usr/bin/chgrp
@@ -73,26 +73,30 @@ TOOLS_PLATFORM.msgconv?= /usr/bin/msgcon @@ -73,26 +73,30 @@ TOOLS_PLATFORM.msgconv?= /usr/bin/msgcon
73.if exists(/usr/bin/msgfmt) 73.if exists(/usr/bin/msgfmt)
74TOOLS_PLATFORM.msgfmt?= /usr/bin/msgfmt 74TOOLS_PLATFORM.msgfmt?= /usr/bin/msgfmt
75.endif 75.endif
76.if exists(/usr/bin/msgmerge) 76.if exists(/usr/bin/msgmerge)
77TOOLS_PLATFORM.msgmerge?= /usr/bin/msgmerge 77TOOLS_PLATFORM.msgmerge?= /usr/bin/msgmerge
78.endif 78.endif
79TOOLS_PLATFORM.mtree?= /usr/sbin/mtree 79TOOLS_PLATFORM.mtree?= /usr/sbin/mtree
80TOOLS_PLATFORM.mv?= /bin/mv 80TOOLS_PLATFORM.mv?= /bin/mv
81TOOLS_PLATFORM.nice?= /usr/bin/nice 81TOOLS_PLATFORM.nice?= /usr/bin/nice
82TOOLS_PLATFORM.nroff?= /usr/bin/nroff 82TOOLS_PLATFORM.nroff?= /usr/bin/nroff
83TOOLS_PLATFORM.openssl?= /usr/bin/openssl 83TOOLS_PLATFORM.openssl?= /usr/bin/openssl
84TOOLS_PLATFORM.patch?= /usr/bin/patch 84TOOLS_PLATFORM.patch?= /usr/bin/patch
85TOOLS_PLATFORM.pax?= /bin/pax 85TOOLS_PLATFORM.pax?= /bin/pax
 86.if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
 87 empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
 88TOOLS_PLATFORM.paxctl?= /usr/sbin/paxctl
 89.endif
86TOOLS_PLATFORM.printf?= /usr/bin/printf 90TOOLS_PLATFORM.printf?= /usr/bin/printf
87TOOLS_PLATFORM.pwd?= /bin/pwd 91TOOLS_PLATFORM.pwd?= /bin/pwd
88.if empty(USE_CROSS_COMPILE:M[yY][eE][sS]) 92.if empty(USE_CROSS_COMPILE:M[yY][eE][sS])
89TOOLS_PLATFORM.readelf?= /usr/bin/readelf 93TOOLS_PLATFORM.readelf?= /usr/bin/readelf
90.else 94.else
91TOOLS_PLATFORM.readelf?= ${TOOLDIR}/bin/${MACHINE_GNU_PLATFORM}-readelf 95TOOLS_PLATFORM.readelf?= ${TOOLDIR}/bin/${MACHINE_GNU_PLATFORM}-readelf
92.endif 96.endif
93TOOLS_PLATFORM.readlink?= /usr/bin/readlink 97TOOLS_PLATFORM.readlink?= /usr/bin/readlink
94TOOLS_PLATFORM.rm?= /bin/rm 98TOOLS_PLATFORM.rm?= /bin/rm
95TOOLS_PLATFORM.rmdir?= /bin/rmdir 99TOOLS_PLATFORM.rmdir?= /bin/rmdir
96TOOLS_PLATFORM.sdiff?= /usr/bin/sdiff 100TOOLS_PLATFORM.sdiff?= /usr/bin/sdiff
97TOOLS_PLATFORM.sed?= /usr/bin/sed 101TOOLS_PLATFORM.sed?= /usr/bin/sed
98TOOLS_PLATFORM.sh?= /bin/sh 102TOOLS_PLATFORM.sh?= /bin/sh