diff --git a/usr.bin/crunch/crunchgen/crunchgen.c b/usr.bin/crunch/crunchgen/crunchgen.c index 22cca4a6efdc..a0c7ae56d05a 100644 --- a/usr.bin/crunch/crunchgen/crunchgen.c +++ b/usr.bin/crunch/crunchgen/crunchgen.c @@ -55,7 +55,7 @@ __RCSID("$NetBSD: crunchgen.c,v 1.94 2019/12/29 18:26:16 christos Exp $"); #include #include -#define CRUNCH_VERSION "20191223" +#define CRUNCH_VERSION "20230605" #define MAXLINELEN 16384 #define MAXFIELDS 2048 @@ -991,7 +991,7 @@ top_makefile_rules(FILE *outmk) fprintf(outmk, "PROG=%s\n\n", execfname); - fprintf(outmk, "OBJCOPY_REMOVE_FLAGS=-R .eh_frame_hdr -R .note -R .note.netbsd.pax -R .ident -R .comment -R .copyright\n\n"); + fprintf(outmk, "OBJCOPY_REMOVE_FLAGS=-R .eh_frame_hdr -R .note -R .ident -R .comment -R .copyright\n\n"); fprintf(outmk, "OBJCOPY_REMOVE_FLAGS+=-R .eh_frame\n"); fprintf(outmk, ".if ${MACHINE} != \"sparc64\"\n"); @@ -1003,9 +1003,10 @@ top_makefile_rules(FILE *outmk) fprintf(outmk, "${PROG}.strip:\n"); fprintf(outmk, "\t${MAKE} -f ${PROG}.mk ${PROG}\n"); fprintf(outmk, "\t@[ -f ${PROG}.unstripped -a ! ${PROG} -nt ${PROG}.unstripped ] || { \\\n"); - fprintf(outmk, "\t\t${_MKSHMSG:Uecho} \" strip \" ${PROG}; \\\n"); + fprintf(outmk, "\t\t${_MKSHMSG:Uecho} \" strip and clear PaX flags \" ${PROG}; \\\n"); fprintf(outmk, "\t\tcp ${PROG} ${PROG}.unstripped && \\\n"); fprintf(outmk, "\t\t${OBJCOPY} -S ${OBJCOPY_REMOVE_FLAGS} ${PROG} && \\\n"); + fprintf(outmk, "\t\t${PAXCTL} -0 ${PROG} && \\\n"); fprintf(outmk, "\t\ttouch ${PROG}.unstripped; \\\n"); fprintf(outmk, "\t}\n"); fprintf(outmk, "objs: $(SUBMAKE_TARGETS)\n"); diff --git a/usr.sbin/paxctl/paxctl.8 b/usr.sbin/paxctl/paxctl.8 index 5f61b0563d0d..b2f08cc0f63d 100644 --- a/usr.sbin/paxctl/paxctl.8 +++ b/usr.sbin/paxctl/paxctl.8 @@ -23,7 +23,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 7, 2016 +.Dd June 5, 2023 .Dt PAXCTL 8 .Os .Sh NAME @@ -31,7 +31,7 @@ .Nd list and modify PaX flags associated with an ELF program .Sh SYNOPSIS .Nm -.Ar flags +.Op -0 | flags .Ar program ... .Sh DESCRIPTION The @@ -44,7 +44,10 @@ can be found in the .Xr security 7 manpage. .Pp -Each flag can be prefixed either with a +If +.Fl 0 +option is specified, all PaX flags are cleared. +Otherwise, each flag can be prefixed either with a .Dq + or a .Dq - diff --git a/usr.sbin/paxctl/paxctl.c b/usr.sbin/paxctl/paxctl.c index 12dacc46ac1b..efb99c90576d 100644 --- a/usr.sbin/paxctl/paxctl.c +++ b/usr.sbin/paxctl/paxctl.c @@ -98,7 +98,8 @@ static const struct paxflag { static void usage(void) { - (void)fprintf(stderr, "Usage: %s [ <-|+> ] ...\n", + (void)fprintf(stderr, + "Usage: %s [ -0 | <-|+> ] ...\n", #if HAVE_NBTOOL_CONFIG_H "paxctl" #else @@ -165,7 +166,7 @@ pax_printflags(const char *name, int many, uint32_t f) static int process_one(const char *name, uint32_t add_flags, uint32_t del_flags, - int list, int many) + int clear, int list, int many) { union { Elf32_Ehdr h32; @@ -279,8 +280,12 @@ process_one(const char *name, uint32_t add_flags, uint32_t del_flags, break; } - pax_tag.flags |= SWAP(add_flags); - pax_tag.flags &= SWAP(~del_flags); + if (clear) { + pax_tag.flags = 0; + } else { + pax_tag.flags |= SWAP(add_flags); + pax_tag.flags &= SWAP(~del_flags); + } if (!pax_flags_sane(SWAP(pax_tag.flags))) { warnx("New flags 0x%x don't make sense", @@ -315,7 +320,7 @@ int main(int argc, char **argv) { char *opt; - int i, list = 0, bad = 0, many, minus; + int i, clear = 0, list = 0, bad = 0, many, minus; uint32_t add_flags = 0, del_flags = 0; setprogname(argv[0]); @@ -326,6 +331,11 @@ main(int argc, char **argv) for (i = 1; i < argc; i++) { opt = argv[i]; + if (strcmp(opt, "-0") == 0) { + clear = 1; + continue; + } + if (*opt == '-' || *opt == '+') { uint32_t t; minus = 0; @@ -361,15 +371,21 @@ main(int argc, char **argv) if (i == argc) usage(); - if (add_flags || del_flags) { - if (list) - usage(); - } else + switch ((add_flags != 0 || del_flags != 0) + clear) { + case 0: list = 1; + break; + case 1: + break; + default: + usage(); + } many = i != argc - 1; - for (; i < argc; i++) - bad |= process_one(argv[i], add_flags, del_flags, list, many); + for (; i < argc; i++) { + bad |= process_one(argv[i], add_flags, del_flags, + clear, list, many); + } return bad ? EXIT_FAILURE : 0; }