From 5e00841da0f8a9350827a73719ca04295dbb719f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 8 Jun 2017 15:23:20 +0100 Subject: [PATCH] Revert "Drop paxctl" This reverts commit ae666b0c234f9204b864292e044a0c8d182e58d2. Signed-off-by: Michael Tremer --- config/rootfiles/common/paxctl | 2 + lfs/clamav | 4 ++ lfs/grub | 4 ++ lfs/paxctl | 79 ++++++++++++++++++++++++++++++++++ lfs/qemu | 8 ++++ make.sh | 1 + 6 files changed, 98 insertions(+) create mode 100644 config/rootfiles/common/paxctl create mode 100644 lfs/paxctl diff --git a/config/rootfiles/common/paxctl b/config/rootfiles/common/paxctl new file mode 100644 index 0000000000..c9135a865d --- /dev/null +++ b/config/rootfiles/common/paxctl @@ -0,0 +1,2 @@ +sbin/paxctl +#usr/share/man/man1/paxctl.1 diff --git a/lfs/clamav b/lfs/clamav index 06ba0fcc4d..e91eb97c83 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -98,6 +98,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown clamav:clamav /var/run/clamav #install initscripts $(call INSTALL_INITSCRIPT,clamav) + # Disable PaX mprotect for clamd, clamscan and freshclam + paxctl -Cm /usr/sbin/clamd + paxctl -Cm /usr/bin/clamscan + paxctl -Cm /usr/bin/freshclam @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/grub b/lfs/grub index a054b8e50b..494fea9c53 100644 --- a/lfs/grub +++ b/lfs/grub @@ -100,6 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -mkdir -pv /etc/default install -m 644 $(DIR_SRC)/config/grub2/default /etc/default/grub + # Disable hardening. + paxctl -Cmpes /usr/sbin/grub-bios-setup /usr/sbin/grub-probe + paxctl -Cmpexs /usr/bin/grub-script-check + # We don't need to install unifont just to generate a grub2 compatible # font archive for the graphical boot menu. The following command only # converts Latin-1, Latin Extended A+B, Arrows, Box and Block characters. diff --git a/lfs/paxctl b/lfs/paxctl new file mode 100644 index 0000000000..387f3842ed --- /dev/null +++ b/lfs/paxctl @@ -0,0 +1,79 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2016 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.9 + +THISAPP = paxctl-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 9bea59b1987dc4e16c2d22d745374e64 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/qemu b/lfs/qemu index 4f827e8376..6d5f91926e 100644 --- a/lfs/qemu +++ b/lfs/qemu @@ -88,6 +88,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # install wrapper for old kvm parameter handling install -m 755 $(DIR_SRC)/config/qemu/qemu /usr/bin/qemu + # disable PaX MPROTECT and RANDMMAP + paxctl -cmr /usr/bin/qemu-system-arm + paxctl -cmr /usr/bin/qemu-system-i386 + paxctl -cmr /usr/bin/qemu-system-x86_64 + paxctl -cmr /usr/bin/qemu-arm + paxctl -cmr /usr/bin/qemu-i386 + paxctl -cmr /usr/bin/qemu-x86_64 + # install an udev script to set the permissions of /dev/kvm cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-kvm.rules diff --git a/make.sh b/make.sh index a0f2dffc28..641a5147cf 100755 --- a/make.sh +++ b/make.sh @@ -390,6 +390,7 @@ buildbase() { lfsmake2 udev lfsmake2 vim lfsmake2 xz + lfsmake2 paxctl } buildipfire() { -- 2.39.5