[src/netbsd-10]: src/usr.sbin/paxctl Pull up following revision(s) (requested...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/24fbaa2db0d4
branches:  netbsd-10
changeset: 376659:24fbaa2db0d4
user:      martin <martin%NetBSD.org@localhost>
date:      Tue Jun 27 18:20:18 2023 +0000

description:
Pull up following revision(s) (requested by rin in ticket #215):

        usr.sbin/paxctl/paxctl.8: revision 1.17
        usr.sbin/paxctl/paxctl.8: revision 1.18
        usr.bin/crunch/crunchgen/crunchgen.c: revision 1.95
        usr.sbin/paxctl/paxctl.c: revision 1.13

paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note.
Part of PR toolchain/52675

crunchgen(1): Clear PaX flags instead of removing its ELF note section.
The latter results in zero-filled hole in ELF note segment for EARM,
where PaX section is not located the bottom of that segment (see
src/lib/csu/sysident.S). Fortunately, this hole does not cause real
harms for our in-kernel ELF note parser, except for noisy warnings on
DIAGNOSTIC kernels.

Bump CRUNCH_VERSION.

PR toolchain/52675

Use Fl for options.

diffstat:

 usr.bin/crunch/crunchgen/crunchgen.c |  11 +++++----
 usr.sbin/paxctl/paxctl.8             |  11 ++++++---
 usr.sbin/paxctl/paxctl.c             |  42 ++++++++++++++++++++++++-----------
 3 files changed, 42 insertions(+), 22 deletions(-)

diffs (188 lines):

diff -r 0f92d3a082e9 -r 24fbaa2db0d4 usr.bin/crunch/crunchgen/crunchgen.c
--- a/usr.bin/crunch/crunchgen/crunchgen.c      Tue Jun 27 18:09:43 2023 +0000
+++ b/usr.bin/crunch/crunchgen/crunchgen.c      Tue Jun 27 18:20:18 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: crunchgen.c,v 1.94 2019/12/29 18:26:16 christos Exp $  */
+/*     $NetBSD: crunchgen.c,v 1.94.8.1 2023/06/27 18:20:18 martin Exp $        */
 /*
  * Copyright (c) 1994 University of Maryland
  * All Rights Reserved.
@@ -38,7 +38,7 @@
 
 #include <sys/cdefs.h>
 #if !defined(lint)
-__RCSID("$NetBSD: crunchgen.c,v 1.94 2019/12/29 18:26:16 christos Exp $");
+__RCSID("$NetBSD: crunchgen.c,v 1.94.8.1 2023/06/27 18:20:18 martin Exp $");
 #endif
 
 #include <stdlib.h>
@@ -55,7 +55,7 @@
 #include <sys/param.h>
 #include <sys/utsname.h>
 
-#define CRUNCH_VERSION "20191223"
+#define CRUNCH_VERSION "20230623"
 
 #define MAXLINELEN     16384
 #define MAXFIELDS       2048
@@ -991,7 +991,7 @@ top_makefile_rules(FILE *outmk)
 
     fprintf(outmk, "PROG=%s\n\n", execfname);
 
-    fprintf(outmk, "OBJCOPY_REMOVE_FLAGS=-R .eh_frame_hdr -R .note -R .note.netbsd.pax -R .ident -R .comment -R .copyright\n\n");
+    fprintf(outmk, "OBJCOPY_REMOVE_FLAGS=-R .eh_frame_hdr -R .note -R .ident -R .comment -R .copyright\n\n");
 
     fprintf(outmk, "OBJCOPY_REMOVE_FLAGS+=-R .eh_frame\n");
     fprintf(outmk, ".if ${MACHINE} != \"sparc64\"\n");
@@ -1003,9 +1003,10 @@ top_makefile_rules(FILE *outmk)
     fprintf(outmk, "${PROG}.strip:\n");
     fprintf(outmk, "\t${MAKE} -f ${PROG}.mk ${PROG}\n");
     fprintf(outmk, "\t@[ -f ${PROG}.unstripped -a ! ${PROG} -nt ${PROG}.unstripped ] || { \\\n");
-    fprintf(outmk, "\t\t${_MKSHMSG:Uecho} \"  strip \" ${PROG}; \\\n");
+    fprintf(outmk, "\t\t${_MKSHMSG:Uecho} \"  strip and clear PaX flags \" ${PROG}; \\\n");
     fprintf(outmk, "\t\tcp ${PROG} ${PROG}.unstripped && \\\n");
     fprintf(outmk, "\t\t${OBJCOPY} -S ${OBJCOPY_REMOVE_FLAGS} ${PROG} && \\\n");
+    fprintf(outmk, "\t\t${PAXCTL} -0 ${PROG} && \\\n");
     fprintf(outmk, "\t\ttouch ${PROG}.unstripped; \\\n");
     fprintf(outmk, "\t}\n");
     fprintf(outmk, "objs: $(SUBMAKE_TARGETS)\n");
diff -r 0f92d3a082e9 -r 24fbaa2db0d4 usr.sbin/paxctl/paxctl.8
--- a/usr.sbin/paxctl/paxctl.8  Tue Jun 27 18:09:43 2023 +0000
+++ b/usr.sbin/paxctl/paxctl.8  Tue Jun 27 18:20:18 2023 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: paxctl.8,v 1.16 2016/11/08 08:21:52 wiz Exp $
+.\"    $NetBSD: paxctl.8,v 1.16.24.1 2023/06/27 18:20:18 martin Exp $
 .\"
 .\" Copyright 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" Copyright 2008 Christos Zoulas <christos%NetBSD.org@localhost>
@@ -23,7 +23,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 7, 2016
+.Dd June 23, 2023
 .Dt PAXCTL 8
 .Os
 .Sh NAME
@@ -31,7 +31,7 @@
 .Nd list and modify PaX flags associated with an ELF program
 .Sh SYNOPSIS
 .Nm
-.Ar flags
+.Op Fl 0 | Cm flags
 .Ar program ...
 .Sh DESCRIPTION
 The
@@ -44,7 +44,10 @@ can be found in the
 .Xr security 7
 manpage.
 .Pp
-Each flag can be prefixed either with a
+If
+.Fl 0
+option is specified, all PaX flags (including reserved bits) are cleared.
+Otherwise, each flag can be prefixed either with a
 .Dq +
 or a
 .Dq -
diff -r 0f92d3a082e9 -r 24fbaa2db0d4 usr.sbin/paxctl/paxctl.c
--- a/usr.sbin/paxctl/paxctl.c  Tue Jun 27 18:09:43 2023 +0000
+++ b/usr.sbin/paxctl/paxctl.c  Tue Jun 27 18:20:18 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $ */
+/* $NetBSD: paxctl.c,v 1.12.56.1 2023/06/27 18:20:18 martin Exp $ */
 
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -34,7 +34,7 @@
 #include <sys/cdefs.h>
 #ifndef lint
 #ifdef __RCSID
-__RCSID("$NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $");
+__RCSID("$NetBSD: paxctl.c,v 1.12.56.1 2023/06/27 18:20:18 martin Exp $");
 #endif
 #endif /* not lint */
 
@@ -98,7 +98,8 @@ static const struct paxflag {
 static void
 usage(void)
 {
-       (void)fprintf(stderr, "Usage: %s [ <-|+><A|a|G|g|M|m> ] <file> ...\n",
+       (void)fprintf(stderr,
+           "Usage: %s [ -0 | <-|+><A|a|G|g|M|m> ] <file> ...\n",
 #if HAVE_NBTOOL_CONFIG_H
            "paxctl"
 #else
@@ -165,7 +166,7 @@ pax_printflags(const char *name, int man
 
 static int
 process_one(const char *name, uint32_t add_flags, uint32_t del_flags,
-    int list, int many)
+    int clear, int list, int many)
 {
        union {
            Elf32_Ehdr h32;
@@ -279,8 +280,12 @@ process_one(const char *name, uint32_t a
                        break;
                }
 
-               pax_tag.flags |= SWAP(add_flags);
-               pax_tag.flags &= SWAP(~del_flags);
+               if (clear) {
+                       pax_tag.flags = 0;
+               } else {
+                       pax_tag.flags |= SWAP(add_flags);
+                       pax_tag.flags &= SWAP(~del_flags);
+               }
 
                if (!pax_flags_sane(SWAP(pax_tag.flags))) {
                        warnx("New flags 0x%x don't make sense",
@@ -315,7 +320,7 @@ int
 main(int argc, char **argv)
 {
        char *opt;
-       int i, list = 0, bad = 0, many, minus;
+       int i, clear = 0, list = 0, bad = 0, many, minus;
        uint32_t add_flags = 0, del_flags = 0;
 
        setprogname(argv[0]);
@@ -326,6 +331,11 @@ main(int argc, char **argv)
        for (i = 1; i < argc; i++) {
                opt = argv[i];
 
+               if (strcmp(opt, "-0") == 0) {
+                       clear = 1;
+                       continue;
+               }
+
                if (*opt == '-' || *opt == '+') {
                        uint32_t t;
                        minus = 0;
@@ -361,15 +371,21 @@ main(int argc, char **argv)
        if (i == argc)
                usage();
 
-       if (add_flags || del_flags) {
-               if (list)
-                       usage();
-       } else
+       switch ((add_flags != 0 || del_flags != 0) + clear) {
+       case 0:
                list = 1;
+               break;
+       case 1:
+               break;
+       default:
+               usage();
+       }
 
        many = i != argc - 1;
-       for (; i < argc; i++)
-               bad |= process_one(argv[i], add_flags, del_flags, list, many);
+       for (; i < argc; i++) {
+               bad |= process_one(argv[i], add_flags, del_flags,
+                   clear, list, many);
+       }
 
        return bad ? EXIT_FAILURE : 0;
 }