Mercurial > hg > release > icedtea6-1.13
changeset 3132:fad7f1e7be70
PR1714: Update PaX support to detect running PaX kernel and use newer tools
2014-03-25 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1714: Update PaX support to detect running PaX
kernel and use newer tools
* Makefile.am:
(add-archive): Depend on pax-mark-vm as the target executes java.
(add-archive-debug): Likewise with pax-mark-vm-debug.
(check-crypto): Depend on pax-mark-vm as the target executes java.
(check-crypto-debug): Likewise with pax-mark-vm-debug.
(add-archive-ecj): Depend on pax-mark-vm-ecj as the target executes java.
(check-crypto-boot): Likewise.
* NEWS: Updated.
* acinclude.m4:
(IT_HAS_PAX): New macro to detect whether the running
kernel uses PaX.
(IT_WITH_PAX): Rewritten to search for PaX tools -
currently paxmark.sh, paxctl-ng, chpax and paxctl -
and fail if a tool isn't found and a PaX kernel is
being used.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Wed, 26 Mar 2014 05:05:39 +0000 |
parents | 8796f8cdd621 |
children | aea5755bef42 |
files | ChangeLog Makefile.am NEWS acinclude.m4 |
diffstat | 4 files changed, 92 insertions(+), 38 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Thu Jan 23 18:56:55 2014 +0000 +++ b/ChangeLog Wed Mar 26 05:05:39 2014 +0000 @@ -1,3 +1,23 @@ +2014-03-25 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1714: Update PaX support to detect running PaX + kernel and use newer tools + * Makefile.am: + (add-archive): Depend on pax-mark-vm as the target executes java. + (add-archive-debug): Likewise with pax-mark-vm-debug. + (check-crypto): Depend on pax-mark-vm as the target executes java. + (check-crypto-debug): Likewise with pax-mark-vm-debug. + (add-archive-ecj): Depend on pax-mark-vm-ecj as the target executes java. + (check-crypto-boot): Likewise. + * NEWS: Updated. + * acinclude.m4: + (IT_HAS_PAX): New macro to detect whether the running + kernel uses PaX. + (IT_WITH_PAX): Rewritten to search for PaX tools - + currently paxmark.sh, paxctl-ng, chpax and paxctl - + and fail if a tool isn't found and a PaX kernel is + being used. + 2014-01-23 Andrew John Hughes <gnu.andrew@redhat.com> * acinclude.m4:
--- a/Makefile.am Thu Jan 23 18:56:55 2014 +0000 +++ b/Makefile.am Wed Mar 26 05:05:39 2014 +0000 @@ -1986,7 +1986,7 @@ fi rm -f stamps/add-tzdata-support-debug.stamp -stamps/add-archive.stamp: stamps/icedtea.stamp +stamps/add-archive.stamp: stamps/pax-mark-vm.stamp if !ENABLE_JAMVM if !ENABLE_CACAO if !ZERO_BUILD @@ -2002,7 +2002,7 @@ rm -vf $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/$(INSTALL_ARCH_DIR)/*/*.jsa rm -f stamps/add-archive.stamp -stamps/add-archive-debug.stamp: stamps/icedtea-debug.stamp +stamps/add-archive-debug.stamp: stamps/pax-mark-vm-debug.stamp if !ENABLE_JAMVM if !ENABLE_CACAO if !ZERO_BUILD @@ -2036,7 +2036,7 @@ clean-pax-mark-vm-debug: rm -f stamps/pax-mark-vm-debug.stamp -stamps/check-crypto.stamp: stamps/cryptocheck.stamp stamps/icedtea.stamp +stamps/check-crypto.stamp: stamps/cryptocheck.stamp stamps/pax-mark-vm.stamp if [ -e $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \ $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ fi @@ -2046,7 +2046,7 @@ clean-check-crypto: rm -f stamps/check-crypto.stamp -stamps/check-crypto-debug.stamp: stamps/cryptocheck.stamp stamps/icedtea-debug.stamp +stamps/check-crypto-debug.stamp: stamps/cryptocheck.stamp stamps/pax-mark-vm-debug.stamp if [ -e $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \ $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ fi @@ -2205,7 +2205,7 @@ fi rm -f stamps/add-tzdata-support-ecj.stamp -stamps/add-archive-ecj.stamp: stamps/icedtea-ecj.stamp +stamps/add-archive-ecj.stamp: stamps/pax-mark-vm-ecj.stamp if !ENABLE_JAMVM if !ENABLE_CACAO if !ZERO_BUILD @@ -2230,7 +2230,7 @@ clean-pax-mark-vm-ecj: rm -f stamps/pax-mark-vm-ecj.stamp -stamps/check-crypto-boot.stamp: stamps/cryptocheck.stamp stamps/icedtea-ecj.stamp +stamps/check-crypto-boot.stamp: stamps/cryptocheck.stamp stamps/pax-mark-vm-ecj.stamp if [ -e $(ECJ_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java ] ; then \ $(ECJ_BUILD_OUTPUT_DIR)/j2sdk-image/bin/java -cp $(CRYPTO_CHECK_BUILD_DIR) TestCryptoLevel ; \ fi
--- a/NEWS Thu Jan 23 18:56:55 2014 +0000 +++ b/NEWS Wed Mar 26 05:05:39 2014 +0000 @@ -14,6 +14,9 @@ New in release 1.13.2 (2014-04-XX): +* Bug fixes + - PR1714: Update PaX support to detect running PaX kernel and use newer tools + New in release 1.13.1 (2014-01-22): * Security fixes
--- a/acinclude.m4 Thu Jan 23 18:56:55 2014 +0000 +++ b/acinclude.m4 Wed Mar 26 05:05:39 2014 +0000 @@ -2139,48 +2139,79 @@ AM_CONDITIONAL([VM_SUPPORTS_XBOOTCLASSPATH], test x"${it_cv_xbootclasspath_works}" = "xyes") ]) +AC_DEFUN_ONCE([IT_HAS_PAX], +[ + AC_MSG_CHECKING([if a PaX kernel is in use]) + if cat /proc/self/status | grep '^PaX' >&AS_MESSAGE_LOG_FD 2>&1; then + pax_active=yes; + else + pax_active=no; + fi + AC_MSG_RESULT([${pax_active}]) + AM_CONDITIONAL([USING_PAX], test x"${pax_active}" = "xyes") +]) + AC_DEFUN_ONCE([IT_WITH_PAX], [ - AC_MSG_CHECKING([for pax utility to use]) + AC_REQUIRE([IT_HAS_PAX]) + PAX_DEFAULT=/usr/sbin/paxmark.sh + AC_MSG_CHECKING([if a PaX utility was specified]) AC_ARG_WITH([pax], [AS_HELP_STRING(--with-pax=COMMAND,the command used for pax marking)], [ - PAX_COMMAND=${withval} - if test "x${PAX_COMMAND}" = "xno"; then - PAX_COMMAND="not specified" + if test "x${withval}" = "xyes"; then + PAX_COMMAND=no + else + PAX_COMMAND="${withval}" fi ], [ - PAX_COMMAND="not specified" + PAX_COMMAND=no ]) - case "x${PAX_COMMAND}" in - xchpax) - case "${host_cpu}" in - i?86) - PAX_COMMAND_ARGS="-msp" - ;; - *) - PAX_COMMAND_ARGS="-m" - ;; - esac - ;; - xpaxctl) - case "${host_cpu}" in - i?86) - PAX_COMMAND_ARGS="-msp" - ;; - *) - PAX_COMMAND_ARGS="-m" - ;; - esac - ;; - *) - PAX_COMMAND="not specified" - PAX_COMMAND_ARGS="not specified" - ;; - esac + AC_MSG_RESULT(${PAX_COMMAND}) + if test "x${PAX_COMMAND}" == "xno"; then + PAX_COMMAND=${PAX_DEFAULT} + fi + AC_MSG_CHECKING([if $PAX_COMMAND is a valid executable file]) + if test -x "${PAX_COMMAND}" && test -f "${PAX_COMMAND}"; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PAX_COMMAND="" + AC_PATH_PROG(PAX_COMMAND, "paxmark.sh") + if test -z "${PAX_COMMAND}"; then + AC_PATH_PROG(PAX_COMMAND, "paxctl-ng") + fi + if test -z "${PAX_COMMAND}"; then + AC_PATH_PROG(PAX_COMMAND, "chpax") + fi + if test -z "${PAX_COMMAND}"; then + AC_PATH_PROG(PAX_COMMAND, "paxctl") + fi + if test -z "${PAX_COMMAND}"; then + if test "x${pax_active}" = "xyes"; then + AC_MSG_ERROR("No PaX utility found and running on a PaX kernel.") + else + AC_MSG_WARN("No PaX utility found.") + fi + fi + fi + if test -z "${PAX_COMMAND}"; then + PAX_COMMAND="not specified" + PAX_COMMAND_ARGS="not specified" + else + AC_MSG_CHECKING([which options to pass to ${PAX_COMMAND}]) + case "${host_cpu}" in + i?86) + PAX_COMMAND_ARGS="-msp" + ;; + *) + PAX_COMMAND_ARGS="-m" + ;; + esac + AC_MSG_RESULT(${PAX_COMMAND_ARGS}) + fi AM_CONDITIONAL(WITH_PAX, test "x${PAX_COMMAND}" != "xnot specified") - AC_MSG_RESULT(${PAX_COMMAND}) AC_SUBST(PAX_COMMAND) AC_SUBST(PAX_COMMAND_ARGS) ])