From 0bb437aafad7f96ef47e93e299878a60f959821e Mon Sep 17 00:00:00 2001 From: auREAX Date: Thu, 4 Oct 2012 03:46:32 +0200 Subject: [PATCH] Add GRSecurity compatibility with --enable-pax-marks configure flag; add GRSecurity autodetection code to configure. --- configure | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ mk/stage0.mk | 4 ++++ mk/target.mk | 4 ++++ 3 files changed, 63 insertions(+) diff --git a/configure b/configure index 9f3ecddefe1..07e22bed8d6 100755 --- a/configure +++ b/configure @@ -295,6 +295,7 @@ opt manage-submodules 1 "let the build manage the git submodules" opt mingw-cross 0 "cross-compile for win32 using mingw" opt clang 0 "prefer clang to gcc for building the runtime" opt local-rust 0 "use an installed rustc rather than downloading a snapshot" +opt pax-marks 0 "apply PaX markings to rustc binaries (required for GRSecurity/PaX-patched kernels)" valopt prefix "/usr/local" "set installation prefix" valopt local-rust-root "/usr/local" "set prefix for local rust binary" valopt llvm-root "" "set LLVM root" @@ -343,6 +344,8 @@ probe CFG_PDFLATEX pdflatex probe CFG_XETEX xetex probe CFG_LUATEX luatex probe CFG_NODE nodejs node +probe CFG_PAXCTL paxctl /sbin/paxctl +probe CFG_ZCAT zcat if [ ! -z "$CFG_PANDOC" ] then @@ -354,6 +357,52 @@ then fi fi +if [ "$CFG_OSTYPE" = "unknown-linux-gnu" ] +then + if [ ! -z "$CFG_ENABLE_PAX_MARKS" -a -z "$CFG_PAXCTL" ] + then + err "enabled PaX markings but no paxctl binary found" + fi + + if [ -z "$CFG_DISABLE_PAX_MARKS" ] + then + # GRSecurity/PaX detection. This can be very flaky. + GRSEC_DETECTED= + + # /dev/grsec only exists if CONFIG_GRKERNSEC_NO_RBAC is not set. + # /proc is normally only available to root and users in the CONFIG_GRKERNSEC_PROC_GID group, + # and /proc/sys/kernel/grsecurity is not available if ÇONFIG_GRKERNSEC_SYSCTL is not set. + if [ -e /dev/grsec -o -d /proc/sys/kernel/grsecurity ] + then + GRSEC_DETECTED=1 + # /proc/config.gz is normally only available to root, and only if CONFIG_IKCONFIG_PROC has been set. + elif [ -r /proc/config.gz -a ! -z "$CFG_ZCAT" ] + then + if "$CFG_ZCAT" /proc/config.gz | grep --quiet "CONFIG_GRKERNSEC=y" + then + GRSEC_DETECTED=1 + fi + # Flaky. + elif grep --quiet grsec /proc/version + then + GRSEC_DETECTED=1 + fi + + if [ ! -z "$GRSEC_DETECTED" ] + then + step_msg "GRSecurity: yes" + if [ ! -z "$CFG_PAXCTL" ] + then + CFG_ENABLE_PAX_MARKS=1 + else + warn "GRSecurity kernel detected but no paxctl binary found: not setting CFG_ENABLE_PAX_MARKS" + fi + else + step_msg "GRSecurity: no" + fi + fi +fi + if [ ! -z "$CFG_ENABLE_LOCAL_RUST" ] then if [ ! -f ${CFG_LOCAL_RUST_ROOT}/bin/rustc ] @@ -699,6 +748,12 @@ putvar CFG_C_COMPILER putvar CFG_LIBDIR putvar CFG_DISABLE_MANAGE_SUBMODULES +if [ ! -z "$CFG_ENABLE_PAX_MARKS" ] +then + putvar CFG_ENABLE_PAX_MARKS + putvar CFG_PAXCTL +fi + if [ ! -z $BAD_PANDOC ] then CFG_PANDOC= diff --git a/mk/stage0.mk b/mk/stage0.mk index e55b9f70c8f..fae6b3742f8 100644 --- a/mk/stage0.mk +++ b/mk/stage0.mk @@ -12,6 +12,10 @@ ifdef CFG_ENABLE_LOCAL_RUST $(Q)$(S)src/etc/local_stage0.sh $(CFG_HOST_TRIPLE) $(CFG_LOCAL_RUST_ROOT) else $(Q)$(S)src/etc/get-snapshot.py $(CFG_HOST_TRIPLE) $(SNAPSHOT_FILE) +ifdef CFG_ENABLE_PAX_MARKS + @$(call E, apply PaX markings: $@) + @"$(CFG_PAXCTL)" -cm "$@" +endif endif $(Q)touch $@ diff --git a/mk/target.mk b/mk/target.mk index 5ddc825d335..458d2a4ac63 100644 --- a/mk/target.mk +++ b/mk/target.mk @@ -29,6 +29,10 @@ $$(TBIN$(1)_T_$(2)_H_$(3))/rustc$$(X): \ $$(TLIBRUSTC_DEFAULT$(1)_T_$(2)_H_$(3)) @$$(call E, compile_and_link: $$@) $$(STAGE$(1)_T_$(2)_H_$(3)) -o $$@ $$< +ifdef CFG_ENABLE_PAX_MARKS + @$$(call E, apply PaX markings: $$@) + @"$(CFG_PAXCTL)" -cm "$$@" +endif $$(TLIB$(1)_T_$(2)_H_$(3))/$$(CFG_LIBRUSTC): \ $$(COMPILER_CRATE) $$(COMPILER_INPUTS) \