[v3,1/1] paxtest: new package

Submitted by Matt Weber on July 7, 2017, 11:44 a.m.

Details

Message ID 1499427897-36149-1-git-send-email-matthew.weber@rockwellcollins.com
State Accepted
Headers show

Commit Message

Matt Weber July 7, 2017, 11:44 a.m.
PaX regression test suite

Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v2 -> v3
[Arnout V
 - Add Config.in comment when glibc toolchain not used
 - Removed PAXTEST_SOURCE assignment as it was default
 - Updated ARMv# patch to be anything less then v7 instead of
   a range from 4-7
 - Tested that TARGET_CONFIGURE_OPTS could be used and added it in
 - Updated LD= to use TARGET_CC and enclosed in quotes

Changes v1 -> v2
[Matt W
 - Ran check-package script against all pkg files
 - Added new patch to fix alignment build failure on ARM/NIOS2

[Thomas P
 - Added DEVELOPERS
 - Commented about GLIBC depends and ran test-pkg to verify
   why.
 - Added URL in Config.in
 - Updated pkg to 0.9.15 and refactored move log location patch
 - Cleaned up MAKE OPTS use and added MAKE ENV
---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 .../0001-genpaxtest-move-log-location.patch        | 30 +++++++++++++
 ...paxtest-page-alignment-ARM-and-NIOS2-arch.patch | 49 ++++++++++++++++++++++
 package/paxtest/Config.in                          | 11 +++++
 package/paxtest/paxtest.hash                       |  2 +
 package/paxtest/paxtest.mk                         | 25 +++++++++++
 7 files changed, 119 insertions(+)
 create mode 100644 package/paxtest/0001-genpaxtest-move-log-location.patch
 create mode 100644 package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch
 create mode 100644 package/paxtest/Config.in
 create mode 100644 package/paxtest/paxtest.hash
 create mode 100644 package/paxtest/paxtest.mk

Comments

Thomas Petazzoni July 22, 2017, 1:35 p.m.
Hello,

On Fri,  7 Jul 2017 06:44:57 -0500, Matt Weber wrote:
> PaX regression test suite
> 
> Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> Changes v2 -> v3
> [Arnout V
>  - Add Config.in comment when glibc toolchain not used
>  - Removed PAXTEST_SOURCE assignment as it was default
>  - Updated ARMv# patch to be anything less then v7 instead of
>    a range from 4-7
>  - Tested that TARGET_CONFIGURE_OPTS could be used and added it in
>  - Updated LD= to use TARGET_CC and enclosed in quotes

Applied to master, thanks. However, I have to say I very much dislike
the fact that a bunch of executable programs are installed right
into /usr/lib and not /usr/lib/paxtest or something like that. But
apparently RUNDIR is used to install both an actual shared library
(which must be in /usr/lib) and those executable programs.

Perhaps we could set RUNDIR=/usr/lib/paxtest, and as a post install
hook, move the single shared library being installed back
into /usr/lib ?

Could you test doing this ?

Since I've applied the patch, it should obviously be done by follow-up
patches, based on the latest master.

Thanks!

Thomas
Matt Weber July 22, 2017, 9:42 p.m.
Thomas,

On Sat, Jul 22, 2017 at 8:35 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Fri,  7 Jul 2017 06:44:57 -0500, Matt Weber wrote:
>> PaX regression test suite
>>
>> Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
>> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
>> ---
>> Changes v2 -> v3
>> [Arnout V
>>  - Add Config.in comment when glibc toolchain not used
>>  - Removed PAXTEST_SOURCE assignment as it was default
>>  - Updated ARMv# patch to be anything less then v7 instead of
>>    a range from 4-7
>>  - Tested that TARGET_CONFIGURE_OPTS could be used and added it in
>>  - Updated LD= to use TARGET_CC and enclosed in quotes
>
> Applied to master, thanks. However, I have to say I very much dislike
> the fact that a bunch of executable programs are installed right
> into /usr/lib and not /usr/lib/paxtest or something like that. But
> apparently RUNDIR is used to install both an actual shared library
> (which must be in /usr/lib) and those executable programs.
>
> Perhaps we could set RUNDIR=/usr/lib/paxtest, and as a post install
> hook, move the single shared library being installed back
> into /usr/lib ?
>
> Could you test doing this ?
>

Sure, will take a look.
Matt
Matt Weber July 23, 2017, 2:03 a.m.
Thomas,

On Sat, Jul 22, 2017 at 4:42 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Thomas,
>
> On Sat, Jul 22, 2017 at 8:35 AM, Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com> wrote:
>> Hello,
>>
>> On Fri,  7 Jul 2017 06:44:57 -0500, Matt Weber wrote:
>>> PaX regression test suite
>>>
>>> Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
>>> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
>>> ---
>>> Changes v2 -> v3
>>> [Arnout V
>>>  - Add Config.in comment when glibc toolchain not used
>>>  - Removed PAXTEST_SOURCE assignment as it was default
>>>  - Updated ARMv# patch to be anything less then v7 instead of
>>>    a range from 4-7
>>>  - Tested that TARGET_CONFIGURE_OPTS could be used and added it in
>>>  - Updated LD= to use TARGET_CC and enclosed in quotes
>>
>> Applied to master, thanks. However, I have to say I very much dislike
>> the fact that a bunch of executable programs are installed right
>> into /usr/lib and not /usr/lib/paxtest or something like that. But
>> apparently RUNDIR is used to install both an actual shared library
>> (which must be in /usr/lib) and those executable programs.
>>
>> Perhaps we could set RUNDIR=/usr/lib/paxtest, and as a post install
>> hook, move the single shared library being installed back
>> into /usr/lib ?
>>
>> Could you test doing this ?
>>
>

Looks like the /usr/bin/paxtest script (which uses the items installed
into RUNDIR) includes handling for LD_LIBRARY_PATH.  So we can just
update the RUNDIR location and everything falls into place for test
apps and shared libs.

https://patchwork.ozlabs.org/patch/792516/

Matt

Patch hide | download patch | download mbox

diff --git a/DEVELOPERS b/DEVELOPERS
index 4faa1a8..1edeb67 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1143,6 +1143,7 @@  F:	package/libsepol/
 F:	package/libqmi/
 F:	package/nginx-upload/
 F:	package/omniorb/
+F:	package/paxtest/
 F:	package/policycoreutils/
 F:	package/python-ipy/
 F:	package/python-posix-ipc/
diff --git a/package/Config.in b/package/Config.in
index 46c78a0..c97da17 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1788,6 +1788,7 @@  endmenu
 
 menu "Security"
 	source "package/checkpolicy/Config.in"
+	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
 	source "package/sepolgen/Config.in"
diff --git a/package/paxtest/0001-genpaxtest-move-log-location.patch b/package/paxtest/0001-genpaxtest-move-log-location.patch
new file mode 100644
index 0000000..6447d53
--- /dev/null
+++ b/package/paxtest/0001-genpaxtest-move-log-location.patch
@@ -0,0 +1,30 @@ 
+From 623d99e4f557ef9cd771006e4f916c12d22a07a8 Mon Sep 17 00:00:00 2001
+From: David Graziano <david.graziano@rockwellcollins.com>
+Date: Mon, 12 Jun 2017 10:41:45 -0500
+Subject: [PATCH] genpaxtest: move log location
+
+Move log location to /var/log instead of local directory.
+(For read-only filesystems)
+
+Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
+---
+ genpaxtest | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/genpaxtest b/genpaxtest
+index 5a22e15..d62b15e 100644
+--- a/genpaxtest
++++ b/genpaxtest
+@@ -35,7 +35,7 @@
+        exit 1
+ fi
+
+-LOG=\$HOME/paxtest.log
++LOG=/var/log/paxtest.log
+ [ -n "\$1" ] && LOG=\$1
+ touch "\$LOG"
+ if [ ! -e "\$LOG" ]; then
+ 
+-- 
+1.9.1
+
diff --git a/package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch b/package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch
new file mode 100644
index 0000000..54e5e69
--- /dev/null
+++ b/package/paxtest/0002-paxtest-page-alignment-ARM-and-NIOS2-arch.patch
@@ -0,0 +1,49 @@ 
+From 70406ad5668a15fedce2ae1ed3bc4fad04d9f040 Mon Sep 17 00:00:00 2001
+From: Matt Weber <matthew.weber@rockwellcollins.com>
+Date: Wed, 5 Jul 2017 20:47:42 -0500
+Subject: [PATCH] paxtest: page alignment ARM and NIOS2 arch
+
+- Extended ARM range from ARMv6-v7 to also include anything below v7
+- Added NIOS2 arch to conditionally have smaller alignment
+
+Submitted Upstream to pageexec@freemail.hu.  Also posted a
+bug to both (Hardened) Suse and Gentoo's bugtrackers.
+https://bugzilla.opensuse.org/show_bug.cgi?id=1047422
+https://bugs.gentoo.org/show_bug.cgi?id=623946
+
+Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
+---
+ paxtest.h | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/paxtest.h b/paxtest.h
+index 8623bfb..a230c1a 100644
+--- a/paxtest.h
++++ b/paxtest.h
+@@ -5,13 +5,21 @@
+ #include <unistd.h>
+ 
+ /*
+- * ARMv6 and ARMv7 do not like 64k alignment, 32k is ok
++ * Earlier ARMv# through ARMv7 do not like 64k alignment, 32k is ok
+  */
+-#if defined(__arm__) && __ARM_ARCH >= 6 && __ARM_ARCH <= 7
++#if defined(__arm__) && __ARM_ARCH <= 7
+ #define PAGE_SIZE_MAX  (32768)
+ #else
+ #define PAGE_SIZE_MAX	0x10000	/* 64k should cover most arches */
+ #endif
++
++/*
++ * NIOS2's assemblier doesn't like 64k alignment
++ */
++#if defined(__nios2_arch__)
++#define PAGE_SIZE_MAX  (32768)
++#endif
++
+ #ifndef __aligned
+ #define __aligned(x)	__attribute__((aligned(x)))
+ #endif
+-- 
+1.9.1
+
diff --git a/package/paxtest/Config.in b/package/paxtest/Config.in
new file mode 100644
index 0000000..1e09820
--- /dev/null
+++ b/package/paxtest/Config.in
@@ -0,0 +1,11 @@ 
+config BR2_PACKAGE_PAXTEST
+	bool "paxtest"
+	# No UCLIBC or MUSL because __NO_A_OUT_SUPPORT
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	help
+	  PaX regression test suite
+
+	  http://pax.grsecurity.net/docs
+
+comment "paxtest needs a glibc toolchain"
+	depends on !BR2_TOOLCHAIN_USES_GLIBC
diff --git a/package/paxtest/paxtest.hash b/package/paxtest/paxtest.hash
new file mode 100644
index 0000000..c10566c
--- /dev/null
+++ b/package/paxtest/paxtest.hash
@@ -0,0 +1,2 @@ 
+# Locally computed:
+sha256	d553848431fd8c2ab6c8361b62e5cedfed1cc1d60088241f4a33d2af15dd667f	paxtest-0.9.15.tar.gz
diff --git a/package/paxtest/paxtest.mk b/package/paxtest/paxtest.mk
new file mode 100644
index 0000000..5eaee86
--- /dev/null
+++ b/package/paxtest/paxtest.mk
@@ -0,0 +1,25 @@ 
+################################################################################
+#
+# paxtest
+#
+################################################################################
+
+PAXTEST_VERSION = 0.9.15
+PAXTEST_SITE = https://www.grsecurity.net/~spender
+PAXTEST_LICENSE = GPL-2.0+
+PAXTEST_LICENSE_FILES = README
+
+define PAXTEST_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
+		CC="$(TARGET_CC)" LD="$(TARGET_CC)" linux
+endef
+
+define PAXTEST_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) \
+		CC="$(TARGET_CC)" LD="$(TARGET_CC)" \
+		DESTDIR=$(TARGET_DIR) \
+		BINDIR="usr/bin" \
+		RUNDIR="usr/lib" -f Makefile.psm install
+endef
+
+$(eval $(generic-package))