diff options
Diffstat (limited to 'bin/misc-functions.sh')
-rwxr-xr-x | bin/misc-functions.sh | 113 |
1 files changed, 60 insertions, 53 deletions
diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh index df85d4db2..6d6425cb7 100755 --- a/bin/misc-functions.sh +++ b/bin/misc-functions.sh @@ -25,45 +25,50 @@ install_qa_check() { declare -i UNSAFE=0 for i in $(find "${D}/" -type f -perm -2002); do ((UNSAFE++)) - echo "UNSAFE SetGID: $i" + vecho "UNSAFE SetGID: $i" chmod -s,o-w "$i" done for i in $(find "${D}/" -type f -perm -4002); do ((UNSAFE++)) - echo "UNSAFE SetUID: $i" + vecho "UNSAFE SetUID: $i" chmod -s,o-w "$i" done # Now we look for all world writable files. for i in $(find "${D}/" -type f -perm -2); do - echo -ne '\a' - echo "QA Security Notice:" - echo "- ${i:${#D}:${#i}} will be a world writable file." - echo "- This may or may not be a security problem, most of the time it is one." - echo "- Please double check that $PF really needs a world writeable bit and file bugs accordingly." + vecho -ne '\a' + vecho "QA Security Notice:" + vecho "- ${i:${#D}:${#i}} will be a world writable file." + vecho "- This may or may not be a security problem, most of the time it is one." + vecho "- Please double check that $PF really needs a world writeable bit and file bugs accordingly." sleep 1 done if type -p scanelf > /dev/null ; then - local qa_var insecure_rpath=0 - + local qa_var insecure_rpath=0 tmp_quiet=${PORTAGE_QUIET} + + # display warnings when using stricter because we die afterwards + if has stricter ${FEATURES}; then + unset PORTAGE_QUIET + fi + # Make sure we disallow insecure RUNPATH/RPATH's # Don't want paths that point to the tree where the package was built # (older, broken libtools would do this). Also check for null paths # because the loader will search $PWD when it finds null paths. f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )") if [[ -n ${f} ]] ; then - echo -ne '\a\n' - echo "QA Notice: the following files contain insecure RUNPATH's" - echo " Please file a bug about this at http://bugs.gentoo.org/" - echo " with the maintaining herd of the package." - echo " Summary: $CATEGORY/$PN: insecure RPATH ${f}" - echo "${f}" - echo -ne '\a\n' + vecho -ne '\a\n' + vecho "QA Notice: the following files contain insecure RUNPATH's" + vecho " Please file a bug about this at http://bugs.gentoo.org/" + vecho " with the maintaining herd of the package." + vecho " Summary: $CATEGORY/$PN: insecure RPATH ${f}" + vecho "${f}" + vecho -ne '\a\n' if has stricter ${FEATURES}; then insecure_rpath=1 else - echo "Auto fixing rpaths for ${f}" + vecho "Auto fixing rpaths for ${f}" TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null fi fi @@ -71,12 +76,12 @@ install_qa_check() { # Check for setid binaries but are not built with BIND_NOW f=$(scanelf -qyRF '%b %p' "${D}") if [[ -n ${f} ]] ; then - echo -ne '\a\n' - echo "QA Notice: the following files are setXid, dyn linked, and using lazy bindings" - echo " This combination is generally discouraged. Try re-emerging the package:" - echo " LDFLAGS='-Wl,-z,now' emerge ${PN}" - echo "${f}" - echo -ne '\a\n' + vecho -ne '\a\n' + vecho "QA Notice: the following files are setXid, dyn linked, and using lazy bindings" + vecho " This combination is generally discouraged. Try re-emerging the package:" + vecho " LDFLAGS='-Wl,-z,now' emerge ${PN}" + vecho "${f}" + vecho -ne '\a\n' die_msg="${die_msg} setXid lazy bindings," sleep 1 fi @@ -99,17 +104,17 @@ install_qa_check() { done if [[ -n ${f} ]] ; then scanelf -qyRF '%T %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-textrel.log - echo -ne '\a\n' - echo "QA Notice: the following files contain runtime text relocations" - echo " Text relocations force the dynamic linker to perform extra" - echo " work at startup, waste system resources, and may pose a security" - echo " risk. On some architectures, the code may not even function" - echo " properly, if at all." - echo " For more information, see http://hardened.gentoo.org/pic-fix-guide.xml" - echo " Please include this file in your report:" - echo " ${T}/scanelf-textrel.log" - echo "${f[@]}" - echo -ne '\a\n' + vecho -ne '\a\n' + vecho "QA Notice: the following files contain runtime text relocations" + vecho " Text relocations force the dynamic linker to perform extra" + vecho " work at startup, waste system resources, and may pose a security" + vecho " risk. On some architectures, the code may not even function" + vecho " properly, if at all." + vecho " For more information, see http://hardened.gentoo.org/pic-fix-guide.xml" + vecho " Please include this file in your report:" + vecho " ${T}/scanelf-textrel.log" + vecho "${f[@]}" + vecho -ne '\a\n' die_msg="${die_msg} textrels," sleep 1 fi @@ -147,16 +152,16 @@ install_qa_check() { if [[ -n ${f} ]] ; then # One more pass to help devs track down the source scanelf -qyRF '%e %p' "${PORTAGE_BUILDDIR}"/ &> "${T}"/scanelf-execstack.log - echo -ne '\a\n' - echo "QA Notice: the following files contain executable stacks" - echo " Files with executable stacks will not work properly (or at all!)" - echo " on some architectures/operating systems. A bug should be filed" - echo " at http://bugs.gentoo.org/ to make sure the file is fixed." - echo " For more information, see http://hardened.gentoo.org/gnu-stack.xml" - echo " Please include this file in your report:" - echo " ${T}/scanelf-execstack.log" - echo "${f}" - echo -ne '\a\n' + vecho -ne '\a\n' + vecho "QA Notice: the following files contain executable stacks" + vecho " Files with executable stacks will not work properly (or at all!)" + vecho " on some architectures/operating systems. A bug should be filed" + vecho " at http://bugs.gentoo.org/ to make sure the file is fixed." + vecho " For more information, see http://hardened.gentoo.org/gnu-stack.xml" + vecho " Please include this file in your report:" + vecho " ${T}/scanelf-execstack.log" + vecho "${f}" + vecho -ne '\a\n' die_msg="${die_msg} execstacks" sleep 1 fi @@ -169,6 +174,8 @@ install_qa_check() { elif [[ ${die_msg} != "" ]] && has stricter ${FEATURES} && ! has stricter ${RESTRICT} ; then die "Aborting due to QA concerns: ${die_msg}" fi + + PORTAGE_QUIET=${tmp_quiet} fi if [[ ${UNSAFE} > 0 ]] ; then @@ -287,23 +294,23 @@ preinst_suid_scan() { # total suid control. if hasq suidctl $FEATURES; then sfconf=/etc/portage/suidctl.conf - echo ">>> Preforming suid scan in ${IMAGE}" + vecho ">>> Preforming suid scan in ${IMAGE}" for i in $(find ${IMAGE}/ -type f \( -perm -4000 -o -perm -2000 \) ); do if [ -s "${sfconf}" ]; then suid="$(grep ^${i/${IMAGE}/}$ ${sfconf})" if [ "${suid}" = "${i/${IMAGE}/}" ]; then - echo "- ${i/${IMAGE}/} is an approved suid file" + vecho "- ${i/${IMAGE}/} is an approved suid file" else - echo ">>> Removing sbit on non registered ${i/${IMAGE}/}" + vecho ">>> Removing sbit on non registered ${i/${IMAGE}/}" for x in 5 4 3 2 1 0; do echo -ne "\a"; sleep 0.25 ; done - echo -ne "\a" + vecho -ne "\a" chmod ugo-s "${i}" grep ^#${i/${IMAGE}/}$ ${sfconf} > /dev/null || { # sandbox prevents us from writing directly # to files outside of the sandbox, but this # can easly be bypassed using the addwrite() function addwrite "${sfconf}" - echo ">>> Appending commented out entry to ${sfconf} for ${PF}" + vecho ">>> Appending commented out entry to ${sfconf} for ${PF}" ls_ret=$(ls -ldh "${i}") echo "## ${ls_ret%${IMAGE}*}${ls_ret#*${IMAGE}}" >> ${sfconf} echo "#${i/${IMAGE}/}" >> ${sfconf} @@ -312,7 +319,7 @@ preinst_suid_scan() { } fi else - echo "suidctl feature set but you are lacking a ${sfconf}" + vecho "suidctl feature set but you are lacking a ${sfconf}" fi done fi @@ -328,7 +335,7 @@ preinst_selinux_labels() { # only attempt to label if setfiles is executable # and 'context' is available on selinuxfs. if [ -f /selinux/context -a -x /usr/sbin/setfiles -a -x /usr/sbin/selinuxconfig ]; then - echo ">>> Setting SELinux security labels" + vecho ">>> Setting SELinux security labels" ( eval "$(/usr/sbin/selinuxconfig)" || \ die "Failed to determine SELinux policy paths."; @@ -340,7 +347,7 @@ preinst_selinux_labels() { else # nonfatal, since merging can happen outside a SE kernel # like during a recovery situation - echo "!!! Unable to set SELinux security labels" + vecho "!!! Unable to set SELinux security labels" fi fi } @@ -362,7 +369,7 @@ dyn_package() { fi mv -f "${pkg_tmp}" "${pkg_dest}" || die "Failed to move tbz2 to ${pkg_dest}" ln -sf "../All/${PF}.tbz2" "${PKGDIR}/${CATEGORY}/${PF}.tbz2" || die "Failed to create symlink in ${PKGDIR}/${CATEGORY}" - echo ">>> Done." + vecho ">>> Done." cd "${PORTAGE_BUILDDIR}" touch .packaged || die "Failed to 'touch .packaged' in ${PORTAGE_BUILDDIR}" } |