@@ -295,6 +295,7 @@ opt manage-submodules 1 "let the build manage the git submodules"
295295opt mingw-cross 0 " cross-compile for win32 using mingw"
296296opt clang 0 " prefer clang to gcc for building the runtime"
297297opt local-rust 0 " use an installed rustc rather than downloading a snapshot"
298+ opt pax-marks 0 " apply PaX markings to rustc binaries (required for GRSecurity/PaX-patched kernels)"
298299valopt prefix " /usr/local" " set installation prefix"
299300valopt local-rust-root " /usr/local" " set prefix for local rust binary"
300301valopt llvm-root " " " set LLVM root"
@@ -343,6 +344,8 @@ probe CFG_PDFLATEX pdflatex
343344probe CFG_XETEX xetex
344345probe CFG_LUATEX luatex
345346probe CFG_NODE nodejs node
347+ probe CFG_PAXCTL paxctl /sbin/paxctl
348+ probe CFG_ZCAT zcat
346349
347350if [ ! -z " $CFG_PANDOC "
348351then
@@ -354,6 +357,52 @@ then
354357 fi
355358fi
356359
360+ if [ " $CFG_OSTYPE " = " unknown-linux-gnu"
361+ then
362+ if [ ! -z " $CFG_ENABLE_PAX_MARKS " -a -z " $CFG_PAXCTL "
363+ then
364+ err " enabled PaX markings but no paxctl binary found"
365+ fi
366+
367+ if [ -z " $CFG_DISABLE_PAX_MARKS "
368+ then
369+ # GRSecurity/PaX detection. This can be very flaky.
370+ GRSEC_DETECTED=
371+
372+ # /dev/grsec only exists if CONFIG_GRKERNSEC_NO_RBAC is not set.
373+ # /proc is normally only available to root and users in the CONFIG_GRKERNSEC_PROC_GID group,
374+ # and /proc/sys/kernel/grsecurity is not available if ÇONFIG_GRKERNSEC_SYSCTL is not set.
375+ if [ -e /dev/grsec -o -d /proc/sys/kernel/grsecurity ]
376+ then
377+ GRSEC_DETECTED=1
378+ # /proc/config.gz is normally only available to root, and only if CONFIG_IKCONFIG_PROC has been set.
379+ elif [ -r /proc/config.gz -a ! -z " $CFG_ZCAT "
380+ then
381+ if " $CFG_ZCAT " | grep --quiet " CONFIG_GRKERNSEC=y"
382+ then
383+ GRSEC_DETECTED=1
384+ fi
385+ # Flaky.
386+ elif grep --quiet grsec /proc/version
387+ then
388+ GRSEC_DETECTED=1
389+ fi
390+
391+ if [ ! -z " $GRSEC_DETECTED "
392+ then
393+ step_msg " GRSecurity: yes"
394+ if [ ! -z " $CFG_PAXCTL "
395+ then
396+ CFG_ENABLE_PAX_MARKS=1
397+ else
398+ warn " GRSecurity kernel detected but no paxctl binary found: not setting CFG_ENABLE_PAX_MARKS"
399+ fi
400+ else
401+ step_msg " GRSecurity: no"
402+ fi
403+ fi
404+ fi
405+
357406if [ ! -z " $CFG_ENABLE_LOCAL_RUST "
358407then
359408 if [ ! -f ${CFG_LOCAL_RUST_ROOT} /bin/rustc ]
@@ -699,6 +748,12 @@ putvar CFG_C_COMPILER
699748putvar CFG_LIBDIR
700749putvar CFG_DISABLE_MANAGE_SUBMODULES
701750
751+ if [ ! -z " $CFG_ENABLE_PAX_MARKS "
752+ then
753+ putvar CFG_ENABLE_PAX_MARKS
754+ putvar CFG_PAXCTL
755+ fi
756+
702757if [ ! -z $BAD_PANDOC ]
703758then
704759 CFG_PANDOC=
0 commit comments