Package: pbuilder Version: 0.223 Severity: wishlist Tags: patch Hi,
when grsecurity is enabled together with TPE (Trusted Path Execution), it is no longer possible to build packages with pbuilder, because the build user is running binaries in untrusted locations (if also tpe_invert is set). To still enable building, the build user has to be added to the white-listed group/gid. The attached patch does this if TPE is enabled. Kind regards, Reiner
From 98d4bf443e4d826513f328e155bf6fd2866e14a8 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <rei...@reiner-h.de>
Date: Sun, 14 Feb 2016 22:05:21 +0100
Subject: [PATCH] Add build user to grsec-tpe group if TPE is enabled
---
pbuilder-buildpackage-funcs | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/pbuilder-buildpackage-funcs b/pbuilder-buildpackage-funcs
index 3502afb..ef66330 100644
--- a/pbuilder-buildpackage-funcs
+++ b/pbuilder-buildpackage-funcs
@@ -87,6 +87,16 @@ function cowprotect () {
done
}
+function addgrsecgroup () {
+ # if grsecurity with TPE (Trusted Path Execution) is active, add user to allowed group
+ [ "$(sysctl -ne kernel.grsecurity.tpe)" = "1" ] || return 0
+ [ "$(sysctl -ne kernel.grsecurity.tpe_invert)" = "1" ] || return 0
+
+ TPEGID=$(sysctl -n kernel.grsecurity.tpe_gid)
+ log.i "Adding build user to grsec-tpe group"
+ echo "grsec-tpe:x:$TPEGID:$BUILDUSERNAME" >> "$BUILDPLACE/etc/group"
+}
+
function createbuilduser () {
# create the build user, if it is necessary and specified.
if [ -n "$BUILDUSERNAME" -a -n "$BUILDUSERID" ]; then
@@ -99,6 +109,7 @@ function createbuilduser () {
if ! grep -q ^$BUILDUSERNAME: $BUILDPLACE/etc/group; then
cowprotect $BUILDPLACE/etc/group
echo "$BUILDUSERNAME:$g:$BUILDUSERID:" >> $BUILDPLACE/etc/group
+ addgrsecgroup
fi
if [ -e $BUILDPLACE/etc/shadow ] && ! grep -q ^$BUILDUSERNAME: $BUILDPLACE/etc/shadow; then
cowprotect $BUILDPLACE/etc/shadow
--
2.7.0
signature.asc
Description: PGP signature
