Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

			Hi tech-pkg@,

[focusing on ASLR while test-building packages with SSP]

On 07/18/15 18:38, Pierre Pronchery wrote:
> while looking for ways to provide binary packages for EdgeBSD users
> in line with the current state of the art, I found that there are
> some low-hanging fruits up for grabs: [...]
> 
> 2. Building position-independent code: [...] This helps with ASLR
> [...]

PaX ASLR is better supported when binaries are built as
Position-Independent Executables (allowing the randomization of more
sections). However, even without doing so I found that simply enabling
PaX by default breaks the following packages:
- - devel/gmake (random crashes)
- - devel/xulrunner (native flavours < 24)
- - mail/thunderbird (native flavours)
- - misc/libreoffice (native flavours)
- - www/firefox (native flavours >= 24)
(test environment: NetBSD-6 amd64 and NetBSD-7 amd64)

I finally managed to apply settings for PaX via paxctl(8) directly
when packaging through pkgsrc. Besides automating the operation, the
checksums also remain consistent once the package installed, since the
current implementation of paxctl modifies the binary. This helps
auditing, and avoids surprises when removing/updating the packages
impacted.

To reproduce:

1. Enable PaX globally (NetBSD/x86)

  # sysctl -w security.pax.aslr.global=1
  # sysctl -w security.pax.mprotect.global=1

2. Start firefox

  $ firefox
  Segmentation fault

3. Apply flags

  # paxctl +am /usr/pkg/lib/firefox/firefox
  # paxctl +am /usr/pkg/lib/firefox/firefox-bin

4. Start firefox again

  $ firefox
  [works]

Of course a better way is to fix the actual issue affecting the
respective binaries, but at least with this they would be marked as
being impacted.

As before, I will welcome your feedback while trying to get this
integrated.

One more note about the second patch: I would register each binary
failing after an additional test, as I haven't tested each and every
one of these recently. I will confirm with the respective package
maintainers as well before committing of course.

Cheers,
- -- 
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVuWoSAAoJEDA4y9uYhpcDUM4P/1APldE8Xb6DAOw2WkQGbneT
X4qTZydjxycDXmP1cp+lIjQEFIClIKN0A24d68M+j1ByfreNvfobonU5Ss8nJaAl
lHa/m0qxnAWR5zJ2XuEhaDdElaU8XQhO5shYpi1VAJEtsQHZVKIS5ojBo0LCEGfT
ya83brnBolp+SR7O+gGk2o9LbxdKYnanVKir7m/w/rDoXxiwRyERQRVwpNvSNRgW
cQr8BAjLVmT77i2ozfFdnqX5HeoNjSNzYTBmUwDeeGSqk4biF1+olNKw2axPKvji
rP5mm2jCcYoh2etyd6DC7WEz4/XBiZIvUXbJgEaqFo3OMPdKrnMngXbuCe73Qwgw
eQqD6GwPEdRRzEyTL5eKjkstC3q3vxKl+FtM0yuVRPtt5r67sIXAckcE7JOjAfFJ
FCfMmtQ1Z8KogDJnUe9iK46/LZdfn7pZhgNTyaRLnIUIPZEGm6jhHvqsc0C6asM+
MaUxTY+R9Txr6zb6XKN4vEFQFDHwpl7kM7LkMIEXjwjBjFOPRfTWpvZbyUissnk1
Gkkob+jCStqidmQPywnPqz8d1+f6AbtxqHAbKtPH3Xp8M39kKSRUud4cU2RQ3h0/
tUdHODqCEDjwFSR4xqwyjJXREwNBeMn4oxVVW9ZiuXwQFZqFtXSauROmGrR9Sn8m
4w/K5lszUMrAMwZqVATr
=KBAO
-----END PGP SIGNATURE-----

commit c46c312ab6efbc89c45bf7496597fef9d4004c3d
Author: Pierre Pronchery <khorben%defora.org@localhost>
Date:   Thu Jul 30 01:08:04 2015 +0200

    Import handler for NOT_PAX_{ASLR,MPROTECT}_SAFE

diff --git a/mk/bsd.pkg.mk b/mk/bsd.pkg.mk
index 00a0a6c..ee41e90 100644
--- a/mk/bsd.pkg.mk
+++ b/mk/bsd.pkg.mk
@@ -680,6 +680,10 @@ _SHORT_UNAME_R=	${:!${UNAME} -r!:C@\.([0-9]*)[_.-].*@.\1@} # n.n[_.]anything =>
 
 .include "install/bin-install.mk"
 
+# Handle PaX flags
+#
+.include "pax.mk"
+
 .PHONY: show-pkgtools-version
 .if !target(show-pkgtools-version)
 show-pkgtools-version:
diff --git a/mk/pax.mk b/mk/pax.mk
new file mode 100644
index 0000000..7596ba4
--- /dev/null
+++ b/mk/pax.mk
@@ -0,0 +1,52 @@
+# $NetBSD$
+#
+# Infrastructure support for binaries known to fail with PaX enabled.
+#
+# User-settable variables:
+# PAXCTL
+#	The path to the paxctl(8) binary
+#
+# Package-settable variables:
+#
+# NOT_PAX_ASLR_SAFE
+#	The list of binaries which do not support PaX ASLR.
+#
+# NOT_PAX_MPROTECT_SAFE
+#	The list of binaries which do not support PaX MPROTECT.
+
+.if !defined(PAX_MK)
+
+. if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
+	empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
+PAXCTL?=	/usr/sbin/paxctl
+. endif
+
+. if !empty(PAXCTL)
+.  if !empty(NOT_PAX_ASLR_SAFE)
+_INSTALL_ALL_TARGETS+=		post-install-pax-aslr-binaries
+
+.PHONY: post-install-pax-aslr-binaries
+post-install: post-install-pax-aslr-binaries
+post-install-pax-aslr-binaries:
+	@${STEP_MSG} "Setting PaX ASLR flags"
+	${RUN}								\
+	for binary in ${NOT_PAX_ASLR_SAFE}; do				\
+		${PAXCTL} +a ${DESTDIR}${PREFIX}/$$binary;		\
+	done
+.  endif
+
+.  if !empty(NOT_PAX_MPROTECT_SAFE)
+_INSTALL_ALL_TARGETS+=		post-install-pax-mprotect-binaries
+
+.PHONY: post-install-pax-mprotect-binaries
+post-install: post-install-pax-mprotect-binaries
+post-install-pax-mprotect-binaries:
+	@${STEP_MSG} "Setting PaX MPROTECT flags"
+	${RUN}								\
+	for binary in ${NOT_PAX_MPROTECT_SAFE}; do			\
+		${PAXCTL} +m ${DESTDIR}${PREFIX}/$$binary;		\
+	done
+.  endif
+. endif
+
+.endif

commit 1eabcd9744d8adb5c786f2ee7f4408554ddc4667
Author: Pierre Pronchery <khorben%defora.org@localhost>
Date:   Thu Jul 30 01:19:21 2015 +0200

    Register some binaries as not safe for PaX

diff --git a/devel/gmake/Makefile b/devel/gmake/Makefile
index 06ecbed..5913f90 100644
--- a/devel/gmake/Makefile
+++ b/devel/gmake/Makefile
@@ -18,6 +18,9 @@ GNU_CONFIGURE=		yes
 TEXINFO_REQD+=		4.0
 INFO_FILES=		yes
 
+NOT_PAX_ASLR_SAFE+=	bin/gmake
+NOT_PAX_MPROTECT_SAFE+=	bin/gmake
+
 # NOTE:  the 'test' target requires perl, but since gmake does
 # not otherwise require it, perl is not listed as an explicit
 # dependency
diff --git a/devel/xulrunner10/Makefile b/devel/xulrunner10/Makefile
index faf79c2..2467d4c 100644
--- a/devel/xulrunner10/Makefile
+++ b/devel/xulrunner10/Makefile
@@ -31,6 +31,9 @@ MAKE_ENV+=		FREEBL_NO_DEPEND=0
 # workround for link of xulrunner-bin etc.
 LDFLAGS+=		-Wl,-rpath,${PREFIX}/lib/xulrunner10
 
+NOT_PAX_ASLR_SAFE+=	lib/xulrunner10/xulrunner	lib/xulrunner10/xulrunner-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/xulrunner10/xulrunner	lib/xulrunner10/xulrunner-bin
+
 .include "mozilla-common.mk"
 .include "options.mk"
 
diff --git a/devel/xulrunner17/Makefile b/devel/xulrunner17/Makefile
index 9bb7aef..965373b 100644
--- a/devel/xulrunner17/Makefile
+++ b/devel/xulrunner17/Makefile
@@ -33,6 +33,9 @@ INSTALLATION_DIRS=	lib/pkgconfig
 # workround for link of xulrunner-bin etc.
 LDFLAGS+=		-Wl,-rpath,${PREFIX}/lib/xulrunner17 ${COMPILER_RPATH_FLAG}${PREFIX}/lib
 
+NOT_PAX_ASLR_SAFE+=	bin/xulrunner17
+NOT_PAX_MPROTECT_SAFE+=	bin/xulrunner17
+
 .include "mozilla-common.mk"
 .include "options.mk"
 
diff --git a/devel/xulrunner192/Makefile b/devel/xulrunner192/Makefile
index 4da7680..7b1b54f 100644
--- a/devel/xulrunner192/Makefile
+++ b/devel/xulrunner192/Makefile
@@ -29,6 +29,9 @@ ALL_ENV+=		MOZILLA_PKG_NAME=xulrunner192
 
 MAKE_ENV+=		FREEBL_NO_DEPEND=0
 
+NOT_PAX_ASLR_SAFE+=	lib/xulrunner192/xulrunner	lib/xulrunner192/xulrunner-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/xulrunner192/xulrunner	lib/xulrunner192/xulrunner-bin
+
 SUBST_CLASSES+=			fix-paths2
 SUBST_STAGE.fix-paths2=		pre-configure
 SUBST_MESSAGE.fix-paths2=	Fixing absolute paths.
diff --git a/devel/xulrunner24/Makefile b/devel/xulrunner24/Makefile
index 71ad79f..8253056 100644
--- a/devel/xulrunner24/Makefile
+++ b/devel/xulrunner24/Makefile
@@ -50,6 +50,9 @@ CHECK_INTERPRETER_SKIP+=lib/xulrunner24-sdk/sdk/bin/typelib.py
 CHECK_INTERPRETER_SKIP+=lib/xulrunner24-sdk/sdk/bin/xpidl.py
 CHECK_INTERPRETER_SKIP+=lib/xulrunner24-sdk/sdk/bin/xpt.py
 
+NOT_PAX_ASLR_SAFE+=	bin/xulrunner24
+NOT_PAX_MPROTECT_SAFE+=	bin/xulrunner24
+
 .include "../../www/firefox24/mozilla-common.mk"
 .include "../../www/firefox24/options.mk"
 
diff --git a/devel/xulrunner31/Makefile b/devel/xulrunner31/Makefile
index 18315e9..5d08d6f 100644
--- a/devel/xulrunner31/Makefile
+++ b/devel/xulrunner31/Makefile
@@ -51,6 +51,9 @@ CHECK_INTERPRETER_SKIP+=lib/xulrunner31/sdk/bin/typelib.py
 CHECK_INTERPRETER_SKIP+=lib/xulrunner31/sdk/bin/xpidl.py
 CHECK_INTERPRETER_SKIP+=lib/xulrunner31/sdk/bin/xpt.py
 
+NOT_PAX_ASLR_SAFE+=	bin/xulrunner31
+NOT_PAX_MPROTECT_SAFE+=	bin/xulrunner31
+
 .include "../../www/firefox31/mozilla-common.mk"
 .include "../../www/firefox31/options.mk"
 
diff --git a/mail/thunderbird/Makefile b/mail/thunderbird/Makefile
index 93917ed..22feb0f 100644
--- a/mail/thunderbird/Makefile
+++ b/mail/thunderbird/Makefile
@@ -53,6 +53,9 @@ CHECK_INTERPRETER_SKIP+=lib/thunderbird-sdk/sdk/bin/typelib.py
 CHECK_INTERPRETER_SKIP+=lib/thunderbird-sdk/sdk/bin/xpidl.py
 CHECK_INTERPRETER_SKIP+=lib/thunderbird-sdk/sdk/bin/xpt.py
 
+NOT_PAX_ASLR_SAFE+=	lib/thunderbird/thunderbird	lib/thunderbird/thunderbird-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/thunderbird/thunderbird	lib/thunderbird/thunderbird-bin
+
 #post-extract:
 #	cd ${WRKSRC} && ${RM} -r calendar
 #	${CP} -r ${EXTRACT_DIR.lightning-${LIGHTNINGVER}.source.tar.bz2}/comm-beta/calendar ${WRKSRC}
diff --git a/mail/thunderbird24/Makefile b/mail/thunderbird24/Makefile
index 76fc3cb..bb6edd0 100644
--- a/mail/thunderbird24/Makefile
+++ b/mail/thunderbird24/Makefile
@@ -57,6 +57,9 @@ CHECK_INTERPRETER_SKIP+=lib/thunderbird24-sdk/sdk/bin/typelib.py
 CHECK_INTERPRETER_SKIP+=lib/thunderbird24-sdk/sdk/bin/xpidl.py
 CHECK_INTERPRETER_SKIP+=lib/thunderbird24-sdk/sdk/bin/xpt.py
 
+NOT_PAX_ASLR_SAFE+=	lib/thunderbird24/thunderbird	lib/thunderbird24/thunderbird-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/thunderbird24/thunderbird	lib/thunderbird24/thunderbird-bin
+
 #post-extract:
 #	cd ${WRKSRC} && ${RM} -r calendar
 #	${CP} -r ${EXTRACT_DIR.lightning-${LIGHTNINGVER}.source.tar.bz2}/comm-beta/calendar ${WRKSRC}
diff --git a/misc/libreoffice4/Makefile b/misc/libreoffice4/Makefile
index 00f4628..e0f1642 100644
--- a/misc/libreoffice4/Makefile
+++ b/misc/libreoffice4/Makefile
@@ -236,6 +236,9 @@ do-install:
 		${MKDIR} ${d}
 .endfor
 
+NOT_PAX_ASLR_SAFE+=	${PKGNAME}/program/soffice.bin
+NOT_PAX_MPROTECT_SAFE+=	${PKGNAME}/program/soffice.bin
+
 #post-install:
 #.for f in ${LO_PROGRAMS}
 #	cd ${DESTDIR}${PREFIX}/bin && ${LN} -s ../${PKGNAME_NOREV}/program/${f}
diff --git a/www/firefox/Makefile b/www/firefox/Makefile
index 27358f2..45e9dfb 100644
--- a/www/firefox/Makefile
+++ b/www/firefox/Makefile
@@ -61,6 +61,9 @@ MOZILLA_NAME=	Firefox
 MOZILLA_NAME=	Browser
 .endif
 
+NOT_PAX_ASLR_SAFE+=	lib/firefox/firefox	lib/firefox/firefox-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/firefox/firefox	lib/firefox/firefox-bin
+
 SUBST_CLASSES+=		sys-dic
 SUBST_STAGE.sys-dic=	pre-configure
 SUBST_MESSAGE.sys-dic=	Reference to system hunspell dictionaries.
diff --git a/www/firefox24/Makefile b/www/firefox24/Makefile
index 764ca2f..137962f 100644
--- a/www/firefox24/Makefile
+++ b/www/firefox24/Makefile
@@ -63,6 +63,9 @@ MOZILLA_NAME=	Firefox
 MOZILLA_NAME=	Browser
 .endif
 
+NOT_PAX_ASLR_SAFE+=	lib/firefox24/firefox	lib/firefox24/firefox-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/firefox24/firefox	lib/firefox24/firefox-bin
+
 SUBST_CLASSES+=		sys-dic
 SUBST_STAGE.sys-dic=	pre-configure
 SUBST_MESSAGE.sys-dic=	Reference to system hunspell dictionaries.
diff --git a/www/firefox31/Makefile b/www/firefox31/Makefile
index 123b656..82a9397 100644
--- a/www/firefox31/Makefile
+++ b/www/firefox31/Makefile
@@ -62,6 +62,9 @@ MOZILLA_NAME=	Firefox
 MOZILLA_NAME=	Browser
 .endif
 
+NOT_PAX_ASLR_SAFE+=	lib/firefox31/firefox	lib/firefox31/firefox-bin
+NOT_PAX_MPROTECT_SAFE+=	lib/firefox31/firefox	lib/firefox31/firefox-bin
+
 SUBST_CLASSES+=		sys-dic
 SUBST_STAGE.sys-dic=	pre-configure
 SUBST_MESSAGE.sys-dic=	Reference to system hunspell dictionaries.