Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 286280 - >=dev-lang/mono-2.4.2.3 ebuild failes on hardened linux
Summary: >=dev-lang/mono-2.4.2.3 ebuild failes on hardened linux
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High normal (vote)
Assignee: dotnet project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-24 18:03 UTC by Jason Mattax
Modified: 2010-09-07 21:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Emerge --info from my server (emerge.info,3.26 KB, text/plain)
2009-10-22 00:43 UTC, Daniel Kuehn (RETIRED)
Details
Real emerge --info from my server (emerge.info,3.34 KB, text/plain)
2009-10-22 01:03 UTC, Daniel Kuehn (RETIRED)
Details
build.log from the server (build.log,398 bytes, text/plain)
2009-10-22 01:04 UTC, Daniel Kuehn (RETIRED)
Details
disable MPROTECT (mono-2.6.7-mprotect_ebuild.patch,3.28 KB, patch)
2010-08-01 19:06 UTC, Magnus Granberg
Details | Diff
set -m on mono for PAX enable kernels (mono-2.6.7-mprotect_ebuild.patch,2.18 KB, patch)
2010-08-02 11:31 UTC, Magnus Granberg
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Mattax 2009-09-24 18:03:25 UTC
When attempting to emerge =dev-lang/mono-2.4.2.3 on a hardened system PAX kills one of the build processes as it tries to use  /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono indirectly. mono needs to have MPROTECT disabled on it by running the command paxctl -m /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono

Reproducible: Always

Steps to Reproduce:
1. Be running a hardened profile with PAX enabled
2. Emerge mono

Actual Results:  
Emerge fails

Expected Results:  
Successful compilation and installation of mono.

RISE / # emerge --info
Portage 2.1.6.13 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-Intel-R-_Xeon-R-_CPU_E5450_@_3.00GHz-with-gentoo-1.12.11.1
Timestamp of tree: Thu, 24 Sep 2009 14:00:18 +0000
app-shells/bash:     4.0_p28
dev-lang/python:     2.4.4-r6, 2.5.4-r3, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ABI="amd64"
ACCEPT_KEYWORDS="amd64"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 in
tel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul
mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_grou
pfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache f
ilter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir us
ertrack vhost_alias"
ARCH="amd64"
ASFLAGS_x86="--32"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CDEFINE_amd64="__x86_64__"
CDEFINE_x86="__i386__"
CFLAGS="-O2 -pipe -fforce-addr -march=core2"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/ter
minfo /etc/udev/rules.d"
CVS_RSH="ssh"
CXXFLAGS="-O2 -pipe -fforce-addr -march=core2"
DEFAULT_ABI="amd64"
DISTDIR="/usr/portage/distfiles"
EDITOR="/usr/bin/vim"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="-avt"
EMERGE_WARNING_DELAY="10"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
GCC_SPECS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
HOME="/root"
INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.18/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.3.4/info"
INPUT_DEVICES="keyboard mouse"
KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LDFLAGS="-Wl,--hash-style=gnu"
LDFLAGS_x86="-m elf_i386"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LIBDIR_amd64="lib64"
LIBDIR_amd64_fbsd="lib64"
LIBDIR_ppc="lib32"
LIBDIR_ppc64="lib64"
LIBDIR_sparc32="lib32"
LIBDIR_sparc64="lib64"
LIBDIR_x86="lib32"
LIBDIR_x86_fbsd="lib32"
LOGNAME="root"
LS_COLORS="rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:s
g=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01
;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar
=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=0
1;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=0
1;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01
;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:
*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*
.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*
.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
MAKEOPTS="-j9"
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.18/man:/usr/share/gcc-data/x86_64-pc-linux
-gnu/4.3.4/man"
MULTILIB_ABIS="amd64 x86"
MULTILIB_STRICT_DENY="64-bit.*shared object"
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /
usr/X11R6/lib"
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage)"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
OLDPWD="/var/tmp/portage/dev-lang/mono-2.4.2.3"
OPENGL_PROFILE="xorg-x11"
PAGER="/usr/bin/less"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4"
PBS_SERVER_HOME="/var/spool/torque"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc x86-openbsd ppc-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 x86-macos x64-openbsd ia64-hpux hppa x86-netbsd amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib64/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="warn error log"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_PYM_PATH="/usr/lib64/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PWD="/"
RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4"
RPMDIR="/usr/portage/rpm"
SHELL="/bin/bash"
SHLVL="1"
STAGE1_USE="hardened multilib nptl nptlonly pic"
SYMLINK_LIB="yes"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
TERM="screen"
USE="acl amd64 berkdb bzip2 cli cracklib crypt dri gdbm gpm hardened iconv justify mmx modules mudflap multilib ncurses nptl nptlonly pam pcre perl pic python readline reflection session spl sse sse2 ssl sysfs tcpd urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev intel nv radeon"
USER="root"
USERLAND="GNU"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
VIDEO_CARDS="fbdev intel nv radeon"
_="/usr/bin/emerge"


The relevant entries from /var/log/kern.log
=============================================
Sep 24 09:10:02 RISE [74370.586084] PAX: From 97.123.121.66: execution attempt in: <anonymous mapping>, 4153e000-4154e000 4153e000
Sep 24 09:10:02 RISE [74370.586087] PAX: terminating task: /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono(mono):26275, uid/euid: 0/0, PC: 000000004153e050, SP: 00007c3b872e3338
Sep 24 09:10:02 RISE [74370.586093] PAX: bytes at PC: 55 48 8b ec 48 83 ec 70 48 89 7d b0 48 89 75 a8 48 89 55 a0
Sep 24 09:10:02 RISE [74370.586101] PAX: bytes at SP-8:
Sep 24 09:10:02 RISE [74370.586160] grsec: From 97.123.121.66: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono[mono:26275] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:26274] uid/euid:0/0 gid/egid:0/0
Comment 1 Jason Mattax 2009-09-24 18:07:31 UTC
Note that I was able to work around this issue by running

watch paxctl -m /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono

in another terminal, since this attempts to change the PAX headers on the file every 2 seconds, it got there before the program was run on my system. If you use this kludge to install expect to see lots of messages telling you the file isn't there.
Comment 2 Daniel Kuehn (RETIRED) gentoo-dev 2009-10-22 00:41:31 UTC
I can confirm that this happens on x86 too. 
I got a server with x86 that is running on hardened-sources-2.6.29 kernel with grsec server profile.

Get the same deny messages in kern.log as Jason
Comment 3 Daniel Kuehn (RETIRED) gentoo-dev 2009-10-22 00:43:43 UTC
Created attachment 207871 [details]
Emerge --info from my server
Comment 4 Daniel Kuehn (RETIRED) gentoo-dev 2009-10-22 00:56:02 UTC
Comment on attachment 207871 [details]
Emerge --info from my server

Wrong machine
Comment 5 Daniel Kuehn (RETIRED) gentoo-dev 2009-10-22 01:03:56 UTC
Created attachment 207873 [details]
Real emerge --info from my server

Sorry for wrong file before. This is from the actual machine that gets the compile error.
Comment 6 Daniel Kuehn (RETIRED) gentoo-dev 2009-10-22 01:04:45 UTC
Created attachment 207875 [details]
build.log from the server
Comment 7 Alex Efros 2009-11-12 18:45:29 UTC
I've worked around this issue by adding this function to dev-lang/mono/mono-2.4.2.3.ebuild:

src_compile() {
    make          # this one will fail because of PaX error
    paxctl -m mono/mini/mono
    make          # continue compilation
}
Comment 8 Pacho Ramos gentoo-dev 2010-07-04 17:13:54 UTC
Do you get the same problem with latest mono-2.6?
Comment 9 Daniel Kuehn (RETIRED) gentoo-dev 2010-07-05 07:52:33 UTC
(In reply to comment #8)
> Do you get the same problem with latest mono-2.6?
> 

I can give it a shot again on both AMD64 and x86 hardened and report back.
Comment 10 Anders Hellgren gentoo-dev 2010-07-21 22:02:30 UTC
(In reply to comment #8)
> Do you get the same problem with latest mono-2.6?
> 

Yes.

PAX: execution attempt in: <anonymous mapping>, 2031e000-2039a000 2031e000
PAX: terminating task: /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono(mono):23537, uid/euid: 250/250, PC: 2038a000, SP: 5cfcb41c
PAX: bytes at PC: 55 89 e5 53 8b 45 08 0f a2 50 8b 45 10 89 18 8b 45 14 89 08 
PAX: bytes at SP-4: 5cfcb488 10b727c3 00000001 5cfcb4b8 5cfcb4b4 5cfcb4b0 5cfcb4ac 2014bc8b c9db1d90 20187d14 00000001 2016cebe 5cfcb488 00000022 5cfcb4ac 5cfcb4b0 5cfcb4b4 5cfcb4b8 2031e360 2016cebe 5cfcb488 
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono[mono:23537] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:23536] uid/euid:250/250 gid/egid:250/250
Comment 11 Daniel Kuehn (RETIRED) gentoo-dev 2010-07-21 22:06:52 UTC
(In reply to comment #10)
> (In reply to comment #8)
> > Do you get the same problem with latest mono-2.6?
> > 
> 
> Yes.
> 
> PAX: execution attempt in: <anonymous mapping>, 2031e000-2039a000 2031e000
> PAX: terminating task:
> /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono(mono):23537,
> uid/euid: 250/250, PC: 2038a000, SP: 5cfcb41c
> PAX: bytes at PC: 55 89 e5 53 8b 45 08 0f a2 50 8b 45 10 89 18 8b 45 14 89 08 
> PAX: bytes at SP-4: 5cfcb488 10b727c3 00000001 5cfcb4b8 5cfcb4b4 5cfcb4b0
> 5cfcb4ac 2014bc8b c9db1d90 20187d14 00000001 2016cebe 5cfcb488 00000022
> 5cfcb4ac 5cfcb4b0 5cfcb4b4 5cfcb4b8 2031e360 2016cebe 5cfcb488 
> grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against
> limit 0 for
> /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono[mono:23537]
> uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:23536]
> uid/euid:250/250 gid/egid:250/250
> 

I have only tested AMD64 hardened and it gets killed, mono-2.6.4 and my 32-bit chroot sortof fell apart due to me not maintaining it.
Comment 12 Pacho Ramos gentoo-dev 2010-07-22 20:54:08 UTC
I don't know much about hardened, maybe they will be able to suggest us the best way of handling this
Comment 13 Magnus Granberg gentoo-dev 2010-08-01 14:42:27 UTC
The main problem is that it use JIT (just-in-time) compilation and have some trampolines functions in the code. It get killed by MPROTECT.

1.Fix the code if that even posible.
2. Disable MPROTECT on that bin and lose the MPROTECT protection.
Comment 14 Magnus Granberg gentoo-dev 2010-08-01 19:06:45 UTC
Created attachment 240961 [details, diff]
disable MPROTECT

This ebuild patch disable MPROTECT on the mono binary
Comment 15 Magnus Granberg gentoo-dev 2010-08-02 11:31:10 UTC
Created attachment 241045 [details, diff]
set -m on mono for PAX enable kernels

we don't need all the kernel PAX checks.
Comment 16 Pacho Ramos gentoo-dev 2010-09-07 21:06:21 UTC
+  07 Sep 2010; Pacho Ramos <pacho@gentoo.org> mono-2.6.7.ebuild,
+  metadata.xml:
+  Drop PDEPEND on pe-format (bug #333907 by Michał Górny), fix build on
+  hardened (bug #286280 by Jason Mattax and fix by Magnus Granberg) and
+  allow people to enable .NET 4.0 profile if they want (bug #326497 by Ron
+  MacNeil).