On 06/07/14 17:48, "Tóth Attila" wrote:
> 2014.Június 7.(Szo) 23:22 idÅ‘pontban Alex Efros ezt Ãrta:
>> Some time ago I noticed this in kernel logs:
>> kern.alert: grsec: denied RWX mmap of <anonymous mapping> by
>> /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0
>> gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0
>>
>> Looks like it doesn't break layman, but I still wonder why it happens and
>> is it possible to fix this (without paxmarking python, of course)?
>
> I don't see this in my logs. The python executable has the "E" flag on my
> systems.
>
> Dw.
>
Okay I need to document this loudly --- not sure how to do that except
to just keep repeating it until it becomes public knowledge:
When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
default and the ebuild automatically does the markings for you, so leave
the defaults alone.
If you don't, python apps will hit rwx mmap denials by the pax kernel.
Things like libffi try to work around this by spitting out little
snippets of code to the filesystem when the mmap fails; but, if you have
strict TPE on, even this workaround fails and you get a pretty dead
system (all python apps badly crippled). There are various ways around
this but we've settled on the EMUTRAMP solution. See
https://bugs.gentoo.org/show_bug.cgi?id=484472 So my appologize everyone, we should do a better job at getting this
information out. mea culpa.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197