The Tor Browser: comparison media/webrtc/trunk/build/mac/change_mach_o

--1:000000000000
+:cae7c8c25063
+#!/usr/bin/env python
+# Copyright (c) 2011 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] <executablepath>
+Arranges for the executable at |executable_path| to have its data (heap)
+pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have
+the PIE (position independent executable) bit set to enable ASLR (address
+space layout randomization). With --executable-heap or --no-pie, the
+respective bits are cleared instead of set, making the heap executable or
+disabling PIE/ASLR.
+This script is able to operate on thin (single-architecture) Mach-O files
+and fat (universal, multi-architecture) files. When operating on fat files,
+it will set or clear the bits for each architecture contained therein.
+NON-EXECUTABLE HEAP
+Traditionally in Mac OS X, 32-bit processes did not have data pages set to
+prohibit execution. Although user programs could call mprotect and
+mach_vm_protect to deny execution of code in data pages, the kernel would
+silently ignore such requests without updating the page tables, and the
+hardware would happily execute code on such pages. 64-bit processes were
+always given proper hardware protection of data pages. This behavior was
+controllable on a system-wide level via the vm.allow_data_exec sysctl, which
+is set by default to 1. The bit with value 1 (set by default) allows code
+execution on data pages for 32-bit processes, and the bit with value 2
+(clear by default) does the same for 64-bit processes.
+In Mac OS X 10.7, executables can "opt in" to having hardware protection
+against code execution on data pages applied. This is done by setting a new
+bit in the |flags| field of an executable's |mach_header|. When
+MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless
+of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c
+override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile.
+The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when
+producing executables, provided that -allow_heap_execute is not specified
+at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and
+later) have this ability. See ld64-123.2.1/src/ld/Options.cpp
+Options::reconfigureDefaults() and
+ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp
+HeaderAndLoadCommandsAtom<A>::flags().
+This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is
+intended for use with executables produced by a linker that predates Apple's
+modifications to set this bit itself. It is also useful for setting this bit
+for non-i386 executables, including x86_64 executables. Apple's linker only
+sets it for 32-bit i386 executables, presumably under the assumption that
+the value of vm.allow_data_exec is set in stone. However, if someone were to
+change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run
+without hardware protection against code execution on data pages. This
+script can set the bit for x86_64 executables, guaranteeing that they run
+with appropriate protection even when vm.allow_data_exec has been tampered
+with.
+POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION
+This script sets or clears the MH_PIE bit in an executable's Mach-O header,
+enabling or disabling position independence on Mac OS X 10.5 and later.
+Processes running position-independent executables have varying levels of
+ASLR protection depending on the OS release. The main executable's load
+address, shared library load addresess, and the heap and stack base
+addresses may be randomized. Position-independent executables are produced
+by supplying the -pie flag to the linker (or defeated by supplying -no_pie).
+Executables linked with a deployment target of 10.7 or higher have PIE on
+by default.
+This script is never strictly needed during the build to enable PIE, as all
+linkers used are recent enough to support -pie. However, it's used to
+disable the PIE bit as needed on already-linked executables.
+"""
+import optparse
+import os
+import struct
+import sys
+# <mach-o/fat.h>
+FAT_MAGIC = 0xcafebabe
+FAT_CIGAM = 0xbebafeca
+# <mach-o/loader.h>
+MH_MAGIC = 0xfeedface
+MH_CIGAM = 0xcefaedfe
+MH_MAGIC_64 = 0xfeedfacf
+MH_CIGAM_64 = 0xcffaedfe
+MH_EXECUTE = 0x2
+MH_PIE = 0x00200000
+MH_NO_HEAP_EXECUTION = 0x01000000
+class MachOError(Exception):
+"""A class for exceptions thrown by this module."""
+pass
+def CheckedSeek(file, offset):
+"""Seeks the file-like object at |file| to offset |offset| and raises a
+MachOError if anything funny happens."""
+file.seek(offset, os.SEEK_SET)
+new_offset = file.tell()
+if new_offset != offset:
+raise MachOError, \
+'seek: expected offset %d, observed %d' % (offset, new_offset)
+def CheckedRead(file, count):
+"""Reads |count| bytes from the file-like |file| object, raising a
+MachOError if any other number of bytes is read."""
+bytes = file.read(count)
+if len(bytes) != count:
+raise MachOError, \
+'read: expected length %d, observed %d' % (count, len(bytes))
+return bytes
+def ReadUInt32(file, endian):
+"""Reads an unsinged 32-bit integer from the file-like |file| object,
+treating it as having endianness specified by |endian| (per the |struct|
+module), and returns it as a number. Raises a MachOError if the proper
+length of data can't be read from |file|."""
+bytes = CheckedRead(file, 4)
+(uint32,) = struct.unpack(endian + 'I', bytes)
+return uint32
+def ReadMachHeader(file, endian):
+"""Reads an entire |mach_header| structure (<mach-o/loader.h>) from the
+file-like |file| object, treating it as having endianness specified by
+|endian| (per the |struct| module), and returns a 7-tuple of its members
+as numbers. Raises a MachOError if the proper length of data can't be read
+from |file|."""
+bytes = CheckedRead(file, 28)
+magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
+struct.unpack(endian + '7I', bytes)
+return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags
+def ReadFatArch(file):
+"""Reads an entire |fat_arch| structure (<mach-o/fat.h>) from the file-like
+|file| object, treating it as having endianness specified by |endian|
+(per the |struct| module), and returns a 5-tuple of its members as numbers.
+Raises a MachOError if the proper length of data can't be read from
+|file|."""
+bytes = CheckedRead(file, 20)
+cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes)
+return cputype, cpusubtype, offset, size, align
+def WriteUInt32(file, uint32, endian):
+"""Writes |uint32| as an unsinged 32-bit integer to the file-like |file|
+object, treating it as having endianness specified by |endian| (per the
+|struct| module)."""
+bytes = struct.pack(endian + 'I', uint32)
+assert len(bytes) == 4
+file.write(bytes)
+def HandleMachOFile(file, options, offset=0):
+"""Seeks the file-like |file| object to |offset|, reads its |mach_header|,
+and rewrites the header's |flags| field if appropriate. The header's
+endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported
+(mach_header and mach_header_64). Raises MachOError if used on a header that
+does not have a known magic number or is not of type MH_EXECUTE. The
+MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field
+according to |options| and written to |file| if any changes need to be made.
+If already set or clear as specified by |options|, nothing is written."""
+CheckedSeek(file, offset)
+magic = ReadUInt32(file, '<')
+if magic == MH_MAGIC or magic == MH_MAGIC_64:
+endian = '<'
+elif magic == MH_CIGAM or magic == MH_CIGAM_64:
+endian = '>'
+else:
+raise MachOError, \
+'Mach-O file at offset %d has illusion of magic' % offset
+CheckedSeek(file, offset)
+magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
+ReadMachHeader(file, endian)
+assert magic == MH_MAGIC or magic == MH_MAGIC_64
+if filetype != MH_EXECUTE:
+raise MachOError, \
+'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \
+(offset, filetype)
+original_flags = flags
+if options.no_heap_execution:
+flags |= MH_NO_HEAP_EXECUTION
+else:
+flags &= ~MH_NO_HEAP_EXECUTION
+if options.pie:
+flags |= MH_PIE
+else:
+flags &= ~MH_PIE
+if flags != original_flags:
+CheckedSeek(file, offset + 24)
+WriteUInt32(file, flags, endian)
+def HandleFatFile(file, options, fat_offset=0):
+"""Seeks the file-like |file| object to |offset| and loops over its
+|fat_header| entries, calling HandleMachOFile for each."""
+CheckedSeek(file, fat_offset)
+magic = ReadUInt32(file, '>')
+assert magic == FAT_MAGIC
+nfat_arch = ReadUInt32(file, '>')
+for index in xrange(0, nfat_arch):
+cputype, cpusubtype, offset, size, align = ReadFatArch(file)
+assert size >= 28
+# HandleMachOFile will seek around. Come back here after calling it, in
+# case it sought.
+fat_arch_offset = file.tell()
+HandleMachOFile(file, options, offset)
+CheckedSeek(file, fat_arch_offset)
+def main(me, args):
+parser = optparse.OptionParser('%prog [options] <executable_path>')
+parser.add_option('--executable-heap', action='store_false',
+dest='no_heap_execution', default=True,
+help='Clear the MH_NO_HEAP_EXECUTION bit')
+parser.add_option('--no-pie', action='store_false',
+dest='pie', default=True,
+help='Clear the MH_PIE bit')
+(options, loose_args) = parser.parse_args(args)
+if len(loose_args) != 1:
+parser.print_usage()
+return 1
+executable_path = loose_args[0]
+executable_file = open(executable_path, 'rb+')
+magic = ReadUInt32(executable_file, '<')
+if magic == FAT_CIGAM:
+# Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian.
+HandleFatFile(executable_file, options)
+elif magic == MH_MAGIC or magic == MH_CIGAM or \
+magic == MH_MAGIC_64 or magic == MH_CIGAM_64:
+HandleMachOFile(executable_file, options)
+else:
+raise MachOError, '%s is not a Mach-O or fat file' % executable_file
+executable_file.close()
+return 0
+if __name__ == '__main__':
+sys.exit(main(sys.argv[0], sys.argv[1:]))

The Tor Browser / file comparison

comparison: media/webrtc/trunk/build/mac/change_mach_o_flags.py

media/webrtc/trunk/build/mac/change_mach_o_flags.py