15801420 SUNBT7180909 tag the Userland consolidation binaries for ASLR
authorApril Chin <april.chin@oracle.com>
Fri, 01 Feb 2013 18:32:13 -0800
changeset 1138 6e1f85fa0151
parent 1137 5f35de46aa92
child 1139 2fe2a52488cb
15801420 SUNBT7180909 tag the Userland consolidation binaries for ASLR
components/a2ps/Makefile
components/autogen/Makefile
components/bind/Makefile
components/bison/Makefile
components/bzip2/Makefile
components/clisp/Makefile
components/coreutils/Makefile
components/cvs/Makefile
components/emacs/Makefile
components/gcc45/Makefile
components/lighttpd/Makefile
components/tcl/expect/Makefile
make-rules/ips.mk
make-rules/shared-macros.mk
tools/python/pkglint/userland.py
--- a/components/a2ps/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/a2ps/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -61,6 +61,9 @@
 	     ln -s $$sheet ; \
 	 done)
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # common targets
 build:		$(BUILD_32)
 
--- a/components/autogen/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/autogen/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -46,6 +46,9 @@
 # strip the environment or install target fails
 ENV +=	-i
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # common targets
 build:		$(BUILD_32)
 
--- a/components/bind/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/bind/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -70,6 +70,9 @@
 # Configure will add "-mt" to CC which is already set in CFLAGS, so override.
 CONFIGURE_OPTIONS +=	CC="$(CC)"
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 .PHONY: build
 build:		$(BUILD_32)
 
--- a/components/bison/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/bison/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -45,6 +45,9 @@
 CONFIGURE_OPTIONS  +=		--infodir=$(CONFIGURE_INFODIR)
 CONFIGURE_OPTIONS  +=		CFLAGS="$(CFLAGS)"
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 $(INSTALL_32):	$(INSTALL_64)
 
 # common targets
--- a/components/bzip2/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/bzip2/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -40,6 +40,9 @@
 include ../../make-rules/ips.mk
 include ../../make-rules/lint-libraries.mk
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 LINT_FLAGS +=	-I.
 
 # we need to enable large file support and build PIC for our shared libraries
--- a/components/clisp/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/clisp/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -65,6 +65,8 @@
 CONFIGURE_OPTIONS += --with-libsigsegv-prefix=$(CONFIGURE_PREFIX)
 CONFIGURE_OPTIONS += --with-libreadline-prefix=$(CONFIGURE_PREFIX)
 
+# For now keep ASLR disabled for clisp (the default); build may core dump with ASLR
+
 # Prevent clisp.ps and clisp.pdf having different versions for SPARC
 # and x86 in the clisp package, because of embedded dates.
 TIME_CONSTANT = 1348000000
--- a/components/coreutils/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/coreutils/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -42,6 +42,9 @@
 CONFIGURE_OPTIONS	+=	CPPFLAGS=-I/usr/include/gmp
 CONFIGURE_OPTIONS	+=	CFLAGS="$(CFLAGS)"
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # common targets
 build:		$(BUILD_32)
 
--- a/components/cvs/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/cvs/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -41,6 +41,9 @@
 CONFIGURE_OPTIONS  +=	--with-external-zlib
 CONFIGURE_OPTIONS  +=	CFLAGS="$(CFLAGS)"
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # "check" is not working yet.  It's asking for a password.
 COMPONENT_TEST_ENV += PATH=$(GNUBIN):$(PATH)
 COMPONENT_TEST_TARGETS = localcheck
--- a/components/emacs/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/emacs/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -80,6 +80,9 @@
 CONFIGURE_OPTIONS +=	--with-gif=no
 CONFIGURE_OPTIONS +=	ac_cv_sys_long_file_names=yes
 
+# ASLR should remain disabled for emacs (the default); 
+# build consistently core dumps with ASLR
+
 # variant specific configure options
 $(BUILD_DIR)/%-nox/.configured: CONFIGURE_OPTIONS +=	--without-x
 $(BUILD_DIR)/%-x/.configured:    CONFIGURE_OPTIONS +=	--with-x-toolkit=lucid
--- a/components/gcc45/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/gcc45/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
@@ -70,6 +70,8 @@
 
 CONFIGURE_OPTIONS +=	CFLAGS="$(CFLAGS)"
 
+# Keep ASLR disabled (the default) for gcc 4.5; build often core dumps with ASLR
+
 COMPONENT_BUILD_ENV += SHELL=$(CONFIG_SHELL)
 
 COMPONENT_BUILD_TARGETS=bootstrap
--- a/components/lighttpd/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/lighttpd/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -60,6 +60,9 @@
 CONFIGURE_OPTIONS +=	--with-mysql=/usr/mysql/bin/mysql_config
 CONFIGURE_OPTIONS +=	CFLAGS="$(CFLAGS)"
 
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
 # common targets
 build:		$(BUILD_32)
 
--- a/components/tcl/expect/Makefile	Thu Jan 31 15:47:26 2013 -0800
+++ b/components/tcl/expect/Makefile	Fri Feb 01 18:32:13 2013 -0800
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../../make-rules/shared-macros.mk
@@ -46,8 +46,7 @@
 COMPONENT_PRE_CONFIGURE_ACTION = \
 	($(CLONEY) $(SOURCE_DIR) $(@D))
 
-COMPONENT_PRE_BUILD_ACTION = \
-	(cd $(@D); $(GMAKE) all ${SCRIPTS};)
+COMPONENT_BUILD_TARGETS = all ${SCRIPTS}
 
 CONFIGURE_OPTIONS 	+= CFLAGS="$(CFLAGS)"
 CONFIGURE_OPTIONS 	+= --enable-shared
--- a/make-rules/ips.mk	Thu Jan 31 15:47:26 2013 -0800
+++ b/make-rules/ips.mk	Fri Feb 01 18:32:13 2013 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 #
@@ -245,6 +245,14 @@
 			-f $(WS_TOOLS)/pkglintrc $(RESOLVED)
 	$(TOUCH) [email protected]
 
+lintme: FRC
+	@echo "VALIDATING MANIFEST CONTENT: $(RESOLVED)"
+	$(ENV) PYTHONPATH=$(WS_TOOLS)/python PROTO_PATH="$(PKG_PROTO_DIRS)"\
+		$(PKGLINT) $(CANONICAL_REPO:%=-c $(WS_LINT_CACHE)) \
+			-f $(WS_TOOLS)/pkglintrc $(RESOLVED)
+
+FRC:
+
 
 # published
 PKGSEND_PUBLISH_OPTIONS = -s $(PKG_REPO) publish --fmri-in-manifest
--- a/make-rules/shared-macros.mk	Thu Jan 31 15:47:26 2013 -0800
+++ b/make-rules/shared-macros.mk	Fri Feb 01 18:32:13 2013 -0800
@@ -601,6 +601,16 @@
 # use direct binding
 LD_B_DIRECT =		-Bdirect
 
+# use generic macro names for enabling/disabling ASLR
+ASLR_ENABLE = 		-z aslr=enable
+ASLR_DISABLE = 		-z aslr=disable
+ASLR_MODE = 		$(ASLR_DISABLE)
+
+# by default, turn off Address Space Layout Randomization for ELF executables;
+# to explicitly enable ASLR, set ASLR_MODE = $(ASLR_ENABLE)
+# in that component's Makefile
+LD_Z_ASLR =		$(ASLR_MODE)
+
 #
 # More Solaris linker flags that we want to be sure that everyone gets.  This
 # is automatically added to the calling environment during the 'build' and
@@ -633,12 +643,17 @@
 LD_OPTIONS +=	$(LD_MAP_NOEXSTK.$(MACH)) $(LD_MAP_NOEXDATA.$(MACH)) \
 		$(LD_MAP_PAGEALIGN) $(LD_B_DIRECT) $(LD_Z_IGNORE)
 
+# only used on executables
+LD_EXEC_OPTIONS = $(LD_Z_ASLR)
+
 # Environment variables and arguments passed into the build and install
 # environment(s).  These are the initial settings.
 COMPONENT_BUILD_ENV= \
-    LD_OPTIONS="$(LD_OPTIONS)"
+    LD_OPTIONS="$(LD_OPTIONS)" \
+    LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"
 COMPONENT_INSTALL_ENV= \
-    LD_OPTIONS="$(LD_OPTIONS)"
+    LD_OPTIONS="$(LD_OPTIONS)" \
+    LD_EXEC_OPTIONS="$(LD_EXEC_OPTIONS)"
 
 # Add any bit-specific settings
 COMPONENT_BUILD_ENV += $(COMPONENT_BUILD_ENV.$(BITS))
--- a/tools/python/pkglint/userland.py	Thu Jan 31 15:47:26 2013 -0800
+++ b/tools/python/pkglint/userland.py	Fri Feb 01 18:32:13 2013 -0800
@@ -21,7 +21,7 @@
 #
 
 #
-# Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 # Some userland consolidation specific lint checks
@@ -31,6 +31,7 @@
 import pkg.elf as elf
 import re
 import os.path
+import subprocess
 
 class UserlandActionChecker(base.ActionChecker):
         """An opensolaris.org-specific class to check actions."""
@@ -200,6 +201,39 @@
 
 		return result
 
+	def __elf_aslr_check(self, path, engine):
+		result = None
+
+		ei = elf.get_info(path)
+		type = ei.get("type");
+		if type != "exe":
+			return result
+
+		# get the ASLR tag string for this binary
+		aslr_tag_process = subprocess.Popen(
+			"/usr/bin/elfedit -r -e 'dyn:sunw_aslr' "
+			+ path, shell=True,
+			stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+		# aslr_tag_string will get stdout; err will get stderr
+		aslr_tag_string, err = aslr_tag_process.communicate()
+
+		# No ASLR tag was found; everthing must be tagged
+		if aslr_tag_process.returncode != 0:
+			engine.error(
+				_("'%s' is not tagged for aslr") % (path),
+				msgid="%s%s.5" % (self.name, "001"))
+			return result
+
+		# look for "ENABLE" anywhere in the string;
+		# warn about binaries which are not ASLR enabled
+		if re.search("ENABLE", aslr_tag_string) is not None:
+			return result
+		engine.warning(
+			_("'%s' does not have aslr enabled") % (path),
+			msgid="%s%s.6" % (self.name, "001"))
+		return result
+
 	def __elf_runpath_check(self, path, engine):
 		result = None
 		list = []
@@ -325,6 +359,7 @@
 				if result != None:
 					engine.error(result % path, 
 						msgid="%s%s.3" % (self.name, pkglint_id))
+				result = self.__elf_aslr_check(fullpath, engine)
 
 	file_action.pkglint_desc = _("Paths should exist in the proto area.")