Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
various pax-marking problems
atoth at atoth
Jul 7, 2013, 4:34 PM
Post #1 of 5 (2401 views)
Permalink
I still have problems while emerging python. Emerge dies at the install
phase while trying to execute the freshly built python binary. The binary
lacks PT marks, but has "E" XT mark. The install would finish successfully
after calling paxctl-ng with -em.
I will try to test this with more combinations.

Firefox ebuild also dies at install phase while trying to execute
xpcshell. The binary has "e" PT mark and "em" XT mark. If I set the PT
mark also to "em", the install finishes fine. Both PT and XT is enabled in
my kernel konfig. It seems, that it defaults to PT, not to XT.

Emerging icedtea took nearly forever. I had to pax-mark some libraries in
multiple steps before and after bootstrap.

I have a feeling some system settings are wrong. These things happen the
same way on my laptop and the server.

Thx:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: various pax-marking problems [ In reply to ]
powerman at powerman
Jul 7, 2013, 5:15 PM
Post #2 of 5 (2338 views)
Permalink
Hi!

On Mon, Jul 08, 2013 at 01:34:07AM +0200, "Tóth Attila" wrote:
> I have a feeling some system settings are wrong. These things happen the
> same way on my laptop and the server.

I'm too sleepy now and may misunderstood your issue, but at glance:
1) don't enable both PT and XT in kernel, choose only one (XT)
2) https://bugs.gentoo.org/show_bug.cgi?id=465000 may be actual for you,
maybe you should try >=portage-2.1.12.9 (~ARCH now)

--
WBR, Alex.
Re: various pax-marking problems [ In reply to ]
basile at opensource
Jul 8, 2013, 6:03 AM
Post #3 of 5 (2336 views)
Permalink
On 07/07/2013 08:15 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jul 08, 2013 at 01:34:07AM +0200, "Tóth Attila" wrote:
>> I have a feeling some system settings are wrong. These things happen the
>> same way on my laptop and the server.
>
> I'm too sleepy now and may misunderstood your issue, but at glance:
> 1) don't enable both PT and XT in kernel, choose only one (XT)
> 2) https://bugs.gentoo.org/show_bug.cgi?id=465000 may be actual for you,
> maybe you should try >=portage-2.1.12.9 (~ARCH now)
>

>=portage-2.1.12.9 contains an install wrapper I wrote which preserves
xattr pax markings no matter where they are in the ebuild (before or
after install). While it is possible for ebuilds to do something crazy
like using cp instead of install and circumvent this (these should be
fixed anyhow), this bug should now be fixed.

@Toth. Please enable either PAX_PT_PAX_FLAGS or PAX_XATTR_PAX_FLAGS in
your kernel, not both. It is problematic to set both.

In your make.conf set PAX_MARKINGS="PT" in the former case or
PAX_MARKINGS="XT". It is safe to set both: PAX_MARKINGS="PT XT"

On my system, I have "PAX_PT_PAX_FLAGS not set", PAX_XATTR_PAX_FLAGS=y
in my kernel, PAX_MARKINGS="PT XT" in my make.conf and I am using
>=portage-2.1.12.9. So far everything works. Markings get where they
are supposed to go and all the usual problematic packages work.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: various pax-marking problems [ In reply to ]
powerman at powerman
Jul 8, 2013, 6:09 AM
Post #4 of 5 (2335 views)
Permalink
Hi!

On Mon, Jul 08, 2013 at 09:03:43AM -0400, Anthony G. Basile wrote:
> In your make.conf set PAX_MARKINGS="PT" in the former case or
> PAX_MARKINGS="XT". It is safe to set both: PAX_MARKINGS="PT XT"

What is default if it's not set? I didn't remember mentioning it in "PT to
XT migration howto"…

--
WBR, Alex.
Re: various pax-marking problems [ In reply to ]
basile at opensource
Jul 8, 2013, 7:16 AM
Post #5 of 5 (2332 views)
Permalink
On 07/08/2013 09:09 AM, Alex Efros wrote:
> Hi!
>
> On Mon, Jul 08, 2013 at 09:03:43AM -0400, Anthony G. Basile wrote:
>> In your make.conf set PAX_MARKINGS="PT" in the former case or
>> PAX_MARKINGS="XT". It is safe to set both: PAX_MARKINGS="PT XT"
>
> What is default if it's not set? I didn't remember mentioning it in "PT to
> XT migration howto"…
>

Currently we had to drop back to PAX_MARKINGS="PT" in the eclass because
non-hardened users were complaining about warnings that xattrs were not
being set. I'll have to revisit this issue with a totally vanilla
system when all the relevant pieces go stable, particularly portage. At
that point I'll see if PAX_MARKINGS="PT XT" throws warnings and if it
does just silence them.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal