paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note.

Part of PR toolchain/52675
2023-06-23 01:56:21 +00:00 · 2023-06-23 01:56:21 +00:00 · f598570bdb
parent d375f34d40
commit f598570bdb
2 changed files with 36 additions and 17 deletions
--- a/usr.sbin/paxctl/paxctl.8
+++ b/usr.sbin/paxctl/paxctl.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: paxctl.8,v 1.16 2016/11/08 08:21:52 wiz Exp $
+.\"	$NetBSD: paxctl.8,v 1.17 2023/06/23 01:56:21 rin Exp $
 .\"
 .\" Copyright 2006 Elad Efrat <elad@NetBSD.org>
 .\" Copyright 2008 Christos Zoulas <christos@NetBSD.org>
@ -23,7 +23,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 7, 2016
+.Dd June 23, 2023
 .Dt PAXCTL 8
 .Os
 .Sh NAME
@ -31,7 +31,7 @@
 .Nd list and modify PaX flags associated with an ELF program
 .Sh SYNOPSIS
 .Nm
-.Ar flags
+.Op -0 | flags
 .Ar program ...
 .Sh DESCRIPTION
 The
@ -44,7 +44,10 @@ can be found in the
 .Xr security 7
 manpage.
 .Pp
-Each flag can be prefixed either with a
+If
+.Fl 0
+option is specified, all PaX flags (including reserved bits) are cleared.
+Otherwise, each flag can be prefixed either with a
 .Dq +
 or a
 .Dq -
--- a/usr.sbin/paxctl/paxctl.c
+++ b/usr.sbin/paxctl/paxctl.c
@ -1,4 +1,4 @@
-/* $NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $ */
+/* $NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $ */

 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
@ -34,7 +34,7 @@
 #include <sys/cdefs.h>
 #ifndef lint
 #ifdef __RCSID
-__RCSID("$NetBSD: paxctl.c,v 1.12 2009/10/27 16:27:47 christos Exp $");
+__RCSID("$NetBSD: paxctl.c,v 1.13 2023/06/23 01:56:21 rin Exp $");
 #endif
 #endif /* not lint */

@ -98,7 +98,8 @@ static const struct paxflag {
 static void
 usage(void)
 {
-	(void)fprintf(stderr, "Usage: %s [ <-|+><A|a|G|g|M|m> ] <file> ...\n",
+	(void)fprintf(stderr,
+	    "Usage: %s [ -0 | <-|+><A|a|G|g|M|m> ] <file> ...\n",
 #if HAVE_NBTOOL_CONFIG_H
 	    "paxctl"
 #else
@ -165,7 +166,7 @@ pax_printflags(const char *name, int many, uint32_t f)

 static int
 process_one(const char *name, uint32_t add_flags, uint32_t del_flags,
-    int list, int many)
+    int clear, int list, int many)
 {
 	union {
 	    Elf32_Ehdr h32;
@ -279,8 +280,12 @@ process_one(const char *name, uint32_t add_flags, uint32_t del_flags,
 			break;
 		}

-		pax_tag.flags |= SWAP(add_flags);
-		pax_tag.flags &= SWAP(~del_flags);
+		if (clear) {
+			pax_tag.flags = 0;
+		} else {
+			pax_tag.flags |= SWAP(add_flags);
+			pax_tag.flags &= SWAP(~del_flags);
+		}

 		if (!pax_flags_sane(SWAP(pax_tag.flags))) {
 			warnx("New flags 0x%x don't make sense",
@ -315,7 +320,7 @@ int
 main(int argc, char **argv)
 {
 	char *opt;
-	int i, list = 0, bad = 0, many, minus;
+	int i, clear = 0, list = 0, bad = 0, many, minus;
 	uint32_t add_flags = 0, del_flags = 0;

 	setprogname(argv[0]);
@ -326,6 +331,11 @@ main(int argc, char **argv)
 	for (i = 1; i < argc; i++) {
 		opt = argv[i];

+		if (strcmp(opt, "-0") == 0) {
+			clear = 1;
+			continue;
+		}
+
 		if (*opt == '-' || *opt == '+') {
 			uint32_t t;
 			minus = 0;
@ -361,15 +371,21 @@ main(int argc, char **argv)
 	if (i == argc)
 		usage();

-	if (add_flags || del_flags) {
-		if (list)
-			usage();
-	} else
+	switch ((add_flags != 0 || del_flags != 0) + clear) {
+	case 0:
 		list = 1;
+		break;
+	case 1:
+		break;
+	default:
+		usage();
+	}

 	many = i != argc - 1;
-	for (; i < argc; i++)
-		bad |= process_one(argv[i], add_flags, del_flags, list, many);
+	for (; i < argc; i++) {
+		bad |= process_one(argv[i], add_flags, del_flags,
+		    clear, list, many);
+	}

 	return bad ? EXIT_FAILURE : 0;
 }