tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Some pkgsrc/mk/ suggestions (was: Re: PaX mprotect now on for amd64)

Hello Pierre and tech-pkg@!
(moving the discussion to tech-pkg@ where is more appropriate)

Pierre Pronchery writes:
> I wrote this mini-framework for paxctl(8) in pkgsrc:
> and addressed some concerns there:
> Let me know if I should import it, or about any concerns.
First of all thank you for quickly addressing that and sorry for
the very late review. I will try to share just some ideas about

Unfortunately right now I couldn't come up with a better nomenclature
regarding it. Apart what David suggested... What about a more similar
mechanism also used by src/share/mk (i.e. PAXCTL_FLAGS)? I think
something like that can be used (similar to what we do with several
*_PERMS variables):

 PAXCTL_FLAGS+=	+m bin/frozz

What do you think? (maybe a better name should be decided?)
(maybe we can also abstract the flag usage so that paxctl will be also
OS-agnostic (i.e. it seems that also Linux have it but the syntax is
different), but we will need more nomenclature and I would like to
receive some feedback regarding that)

In pkgsrc/tools/ we can simplify the recognition of
paxctl via just an `.if exists()'. In this way if other ports will
use PaX features they will already have correct `.note.netbsd.pax'
ELF section.

Another suggestion is to use BUILD_DEFS so that binary package user can
query the paxctl-fied programs in pkgsrc/mk/

For these two suggestions I'll attach possible patches in this email.

Other cosmetic and (not very important) suggestions (mostly for
consistency with other pkgsrc make fragments):

 - I think it's better to not expose TOOLS_PLATFORM.paxctl as a
   user-settable variable and so delete the comment about that in
 - _INSTALL_ALL_TARGETS is only used by pkgsrc/mk/install/ but
   not other make files in pkgsrc/mk that depends on post-install.
   I think we can delete them in

Please let me know what you think and/or if I'm missing something!
Thank you for the attention!
paxctl-fied binaries can be inspected via `pkg_info -Q'

Index: mk/
RCS file: /cvsroot/pkgsrc/mk/,v
retrieving revision 1.3
diff -u -p -r1.3
--- mk/	27 May 2016 08:33:00 -0000	1.3
+++ mk/	5 Jul 2016 15:37:39 -0000
@@ -24,6 +24,8 @@ PAXCTL=	${TOOLS_PLATFORM.paxctl}
 .  if !empty(NOT_PAX_ASLR_SAFE)
 _INSTALL_ALL_TARGETS+=		post-install-pax-aslr-binaries
 .PHONY: post-install-pax-aslr-binaries
 post-install: post-install-pax-aslr-binaries
@@ -37,6 +39,8 @@ post-install-pax-aslr-binaries:
 .  if !empty(NOT_PAX_MPROTECT_SAFE)
 _INSTALL_ALL_TARGETS+=		post-install-pax-mprotect-binaries
 .PHONY: post-install-pax-mprotect-binaries
 post-install: post-install-pax-mprotect-binaries
Make TOOLS_PLATFORM.paxctl recognition more agnostic

Index: mk/tools/
RCS file: /cvsroot/pkgsrc/mk/tools/,v
retrieving revision 1.58
diff -u -p -r1.58
--- mk/tools/	26 May 2016 16:03:04 -0000	1.58
+++ mk/tools/	5 Jul 2016 15:38:15 -0000
@@ -83,8 +83,7 @@ TOOLS_PLATFORM.nroff?=		/usr/bin/nroff
 TOOLS_PLATFORM.openssl?=	/usr/bin/openssl
 TOOLS_PLATFORM.patch?=		/usr/bin/patch
 TOOLS_PLATFORM.pax?=		/bin/pax
-.if empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-386) || \
-	empty(MACHINE_PLATFORM:MNetBSD-[^0-3].*-x86_64)
+.if exists(/usr/sbin/paxctl)
 TOOLS_PLATFORM.paxctl?=		/usr/sbin/paxctl
 TOOLS_PLATFORM.printf?=		/usr/bin/printf

Home | Main Index | Thread Index | Old Index