summaryrefslogtreecommitdiff
path: root/kernels/paxutils
diff options
context:
space:
mode:
Diffstat (limited to 'kernels/paxutils')
-rw-r--r--kernels/paxutils/PKGBUILD24
-rwxr-xr-xkernels/paxutils/paxutils174
2 files changed, 198 insertions, 0 deletions
diff --git a/kernels/paxutils/PKGBUILD b/kernels/paxutils/PKGBUILD
new file mode 100644
index 000000000..4d57bec10
--- /dev/null
+++ b/kernels/paxutils/PKGBUILD
@@ -0,0 +1,24 @@
+# Maintainer: André Silva <emulatorman@lavabit.com>
+# Maintainer: Márcio Silva <coadde@lavabit.com>
+
+pkgname=paxutils
+pkgdesc='PaX utilities to configure flags for several binaries to work with PaX kernels'
+pkgver=0.1.0
+pkgrel=1
+arch=(any)
+url='https://projects.parabolagnulinux.org/abslibre.git/tree/kernels/pax-tuning/'
+license=(GPL2)
+depends=(bash paxctl)
+replaces=('linux-pax-flags' 'linux-libre-pax-flags')
+conflicts=('linux-pax-flags' 'linux-libre-pax-flags')
+provides=('linux-pax-flags' 'linux-libre-pax-flags')
+source=($pkgname)
+sha256sums=(bf1fda4919e7ed8052711c91933d9da5d86945ba44133c94e1952dedb4d1759b)
+
+build() {
+ return 0
+}
+
+package() {
+ install -D -m755 $srcdir/$pkgname $pkgdir/usr/bin/$pkgname
+}
diff --git a/kernels/paxutils/paxutils b/kernels/paxutils/paxutils
new file mode 100755
index 000000000..22f5a8171
--- /dev/null
+++ b/kernels/paxutils/paxutils
@@ -0,0 +1,174 @@
+#!/bin/bash
+
+[ "$UID" = "0" ] || {
+ sudo $0
+ exit $!
+}
+
+function homedir() {
+ egrep ^$1 /etc/passwd | cut -d: -f 6
+}
+
+declare -A perms
+
+perms=(
+ # RANDMMAP off
+ ['cPSMXEr']='
+ /usr/bin/grub-script-check
+ '
+ # MPROTECT and RANDMMAP off
+ ['cPSmXEr']='
+ /usr/bin/elinks
+ /usr/bin/pyrogenesis
+ /usr/lib/iceweasel/iceweasel
+ /usr/lib/iceweasel/plugin-container
+ /usr/lib/icecat/icecat
+ /usr/lib/icecat/plugin-container
+ /usr/lib/polkit-1/polkitd
+ /usr/lib/icedove/icedove
+ '
+ # SEGMEXEC and MPROTECT off
+ # (RANDEXEC is not activatable for qemu. The binaries seem to be compiled
+ # with PIE enabled, though.)
+ ['cPsmxER']='
+ /usr/bin/qemu-alpha
+ /usr/bin/qemu-arm
+ /usr/bin/qemu-armeb
+ /usr/bin/qemu-cris
+ /usr/bin/qemu-i386
+ /usr/bin/qemu-m68k
+ /usr/bin/qemu-microblaze
+ /usr/bin/qemu-microblazeel
+ /usr/bin/qemu-mips
+ /usr/bin/qemu-mipsel
+ /usr/bin/qemu-ppc
+ /usr/bin/qemu-ppc64
+ /usr/bin/qemu-ppc64abi32
+ /usr/bin/qemu-s390x
+ /usr/bin/qemu-sh4
+ /usr/bin/qemu-sh4eb
+ /usr/bin/qemu-sparc
+ /usr/bin/qemu-sparc32plus
+ /usr/bin/qemu-sparc64
+ /usr/bin/qemu-unicore32
+ /usr/bin/qemu-x86_64
+ '
+ # MPROTECT off
+ ['cPSmXER']="
+ /usr/bin/blender
+ /usr/bin/clamscan
+ /usr/bin/freshclam
+ /usr/bin/glxdemo
+ /usr/bin/glxgears
+ /usr/bin/glxinfo
+ /usr/bin/kdeinit4
+ /usr/bin/kdenlive
+ /usr/bin/kmail
+ /usr/bin/kwin
+ /usr/bin/liferea
+ /usr/bin/mono
+ /usr/bin/mplayer
+ /usr/bin/okular
+ /usr/bin/qemu-system-alpha
+ /usr/bin/qemu-system-arm
+ /usr/bin/qemu-system-cris
+ /usr/bin/qemu-system-i386
+ /usr/bin/qemu-system-lm32
+ /usr/bin/qemu-system-m68k
+ /usr/bin/qemu-system-microblaze
+ /usr/bin/qemu-system-microblazeel
+ /usr/bin/qemu-system-mips
+ /usr/bin/qemu-system-mips64
+ /usr/bin/qemu-system-mips64el
+ /usr/bin/qemu-system-mipsel
+ /usr/bin/qemu-system-ppc
+ /usr/bin/qemu-system-ppc64
+ /usr/bin/qemu-system-ppcemb
+ /usr/bin/qemu-system-s390x
+ /usr/bin/qemu-system-sh4
+ /usr/bin/qemu-system-sh4eb
+ /usr/bin/qemu-system-sparc
+ /usr/bin/qemu-system-sparc64
+ /usr/bin/qemu-system-x86_64
+ /usr/bin/qemu-system-xtensa
+ /usr/bin/qemu-system-xtensaeb
+ /usr/bin/ruby
+ /usr/bin/systemsettings
+ /usr/bin/tcc
+ /usr/bin/valgrind
+ /usr/lib/erlang/erts-*/bin/beam
+ /usr/lib/erlang/erts-*/bin/beam.smp
+ /usr/lib/ghc-*/ghc
+ /usr/lib/valgrind/cachegrind-amd64-linux
+ /usr/lib/valgrind/cachegrind-x86-linux
+ /usr/lib/valgrind/callgrind-amd64-linux
+ /usr/lib/valgrind/callgrind-x86-linux
+ /usr/lib/valgrind/drd-amd64-linux
+ /usr/lib/valgrind/drd-x86-linux
+ /usr/lib/valgrind/exp-bbv-amd64-linux
+ /usr/lib/valgrind/exp-bbv-x86-linux
+ /usr/lib/valgrind/exp-dhat-amd64-linux
+ /usr/lib/valgrind/exp-dhat-x86-linux
+ /usr/lib/valgrind/exp-sgcheck-amd64-linux
+ /usr/lib/valgrind/exp-sgcheck-x86-linux
+ /usr/lib/valgrind/helgrind-amd64-linux
+ /usr/lib/valgrind/helgrind-x86-linux
+ /usr/lib/valgrind/lackey-amd64-linux
+ /usr/lib/valgrind/lackey-x86-linux
+ /usr/lib/valgrind/massif-amd64-linux
+ /usr/lib/valgrind/massif-x86-linux
+ /usr/lib/valgrind/memcheck-amd64-linux
+ /usr/lib/valgrind/memcheck-x86-linux
+ /usr/lib/valgrind/none-amd64-linux
+ /usr/lib/valgrind/none-x86-linux
+ /usr/lib/xbmc/xbmc.bin
+ /usr/sbin/clamd
+ /usr/sbin/grub-probe
+ /usr/sbin/vbetool
+ "
+ # PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off
+ ['cpSmXer']='
+ /usr/bin/sbcl
+ '
+ # All off
+ ['cpsmxer']='
+ /usr/bin/wine
+ /usr/bin/wine-preloader
+ /usr/lib/jvm/java-6-openjdk/bin/java
+ /usr/lib/jvm/java-6-openjdk/bin/javac
+ /usr/lib/jvm/java-6-openjdk/jre/bin/java
+ /usr/lib/jvm/java-7-openjdk/bin/javac
+ /usr/lib/jvm/java-7-openjdk/jre/bin/java
+ '
+)
+
+echo Some programs do not work properly without deactivating some of the PaX
+echo features. Please close all instances of them if you want to change the
+echo configuration for the following binaries:
+
+for perm in ${!perms[@]}; do
+ for path in ${perms[$perm]}; do
+ [ -f $path ] && echo " * $path"
+ done
+done
+
+echo
+echo Continue writing PaX headers? \[Y/n\]
+
+read a
+
+case $a in
+ "Y"|"y"|"")
+ for perm in ${!perms[@]}; do
+ for path in ${perms[$perm]}; do
+ [ -f $path ] && {
+ echo $perm $path
+ paxctl -$perm $path
+ }
+ done
+ done
+ ;;
+ *)
+ exit 0
+ ;;
+esac