Revert "Drop paxctl"

This reverts commit ae666b0c234f9204b864292e044a0c8d182e58d2.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/paxctl b/config/rootfiles/common/paxctl
new file mode 100644 (file)
index 0000000..c9135a8
--- /dev/null
+++ b/config/rootfiles/common/paxctl
@@ -0,0 +1,2 @@
+sbin/paxctl
+#usr/share/man/man1/paxctl.1

diff --git a/lfs/clamav b/lfs/clamav
index 06ba0fcc4df2160f0c2430e4c5eeb3b5b6e12494..e91eb97c83881a5135bdc1091226e79438fb279b 100644 (file)
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -98,6 +98,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        chown clamav:clamav /var/run/clamav
        #install initscripts
        $(call INSTALL_INITSCRIPT,clamav)
+       # Disable PaX mprotect for clamd, clamscan and freshclam
+       paxctl -Cm /usr/sbin/clamd
+       paxctl -Cm /usr/bin/clamscan
+       paxctl -Cm /usr/bin/freshclam
 
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)

diff --git a/lfs/grub b/lfs/grub
index a054b8e50b73df89a574aecd0052d0bd47286772..494fea9c533cd61360072a1a5a6b69c7290ff8b2 100644 (file)
--- a/lfs/grub
+++ b/lfs/grub
@@ -100,6 +100,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        -mkdir -pv /etc/default
        install -m 644 $(DIR_SRC)/config/grub2/default /etc/default/grub
 
+       # Disable hardening.
+       paxctl -Cmpes /usr/sbin/grub-bios-setup /usr/sbin/grub-probe
+       paxctl -Cmpexs /usr/bin/grub-script-check
+
        # We don't need to install unifont just to generate a grub2 compatible
        # font archive for the graphical boot menu. The following command only
        # converts Latin-1, Latin Extended A+B, Arrows, Box and Block characters.

diff --git a/lfs/paxctl b/lfs/paxctl
new file mode 100644 (file)
index 0000000..387f384
--- /dev/null
+++ b/lfs/paxctl
@@ -0,0 +1,79 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2016  IPFire Team  <info@ipfire.org>                          #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.9
+
+THISAPP    = paxctl-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 9bea59b1987dc4e16c2d22d745374e64
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist: 
+       @$(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && make $(MAKETUNING)
+       cd $(DIR_APP) && make install
+       @rm -rf $(DIR_APP)
+       @$(POSTBUILD)

diff --git a/lfs/qemu b/lfs/qemu
index 4f827e837657b2c9d717be1eddc68d8dd3178959..6d5f91926eb90c56f3255c59b6cf3161962cd349 100644 (file)
--- a/lfs/qemu
+++ b/lfs/qemu
@@ -88,6 +88,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # install wrapper for old kvm parameter handling
        install -m 755 $(DIR_SRC)/config/qemu/qemu /usr/bin/qemu
 
+       # disable PaX MPROTECT and RANDMMAP
+       paxctl -cmr /usr/bin/qemu-system-arm
+       paxctl -cmr /usr/bin/qemu-system-i386
+       paxctl -cmr /usr/bin/qemu-system-x86_64
+       paxctl -cmr /usr/bin/qemu-arm
+       paxctl -cmr /usr/bin/qemu-i386
+       paxctl -cmr /usr/bin/qemu-x86_64
+
        # install an udev script to set the permissions of /dev/kvm
        cp -avf $(DIR_SRC)/config/qemu/65-kvm.rules /lib/udev/rules.d/65-kvm.rules
 

diff --git a/make.sh b/make.sh
index a0f2dffc28ead574ca2ae5be08dcb11c6782e8c8..641a5147cffd81523f80e7d15c888f519f7b8841 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -390,6 +390,7 @@ buildbase() {
     lfsmake2 udev
     lfsmake2 vim
     lfsmake2 xz
+    lfsmake2 paxctl
 }
 
 buildipfire() {