voidprayer@VoidPrayer ~ $ sudo paxctl -v /usr/lib/ghc-6.10.4/ghc PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [/usr/lib/ghc-6.10.4/ghc] RANDEXEC is disabled EMUTRAMP is disabled voidprayer@VoidPrayer ~ $ ghci GHCi, version 6.10.4: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer ... linking ... done. Loading package base ... linking ... done. Killed (core dumped) voidprayer@VoidPrayer ~ $ sudo paxctl -m /usr/lib/ghc-6.10.4/ghc voidprayer@VoidPrayer ~ $ ghci GHCi, version 6.10.4: http://www.haskell.org/ghc/ :? for help Loading package ghc-prim ... linking ... done. Loading package integer ... linking ... done. Loading package base ... linking ... done. Prelude> :quit Leaving GHCi. voidprayer@VoidPrayer ~ $ sudo paxctl -v /usr/lib/ghc-6.10.4/ghc PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> - PaX flags: -----m-x-e-- [/usr/lib/ghc-6.10.4/ghc] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled Solution: In the ebuild, inherit the pax-utils.eclass and pax-mark m /path/to/imaged/ghc. Reproducible: Always Steps to Reproduce: In the description. Portage 2.1.7.16 (hardened/linux/x86/10.0, gcc-4.4.2, glibc-2.11-r1, 2.6.31-hardened-r10 i686) ================================================================= System uname: Linux-2.6.31-hardened-r10-i686-Genuine_Intel-R-_CPU_T2050_@_1.60GHz-with-gentoo-2.0.1 Timestamp of tree: Mon, 04 Jan 2010 14:30:01 +0000 app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4, 3.1.1-r1 dev-util/cmake: 2.8.0 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0 sys-apps/sandbox: 2.1 sys-devel/autoconf: 2.65 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" DISTDIR="/var/cache/portage/distfiles" EMERGE_DEFAULT_OPTS="--ask-enter-invalid --nospinner --quiet-build --with-bdeps y" FEATURES="assume-digests buildpkg distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="zh_TW.UTF-8" LC_ALL="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="zh_TW zh af am ar as as_IN ast az be be_BY bg bn bn_BD bn_IN bo br brx bs ca crh cs csb cy da de de_FR dgo dz el en en_CA en_GB en_US en_ZA eo es es_AR es_CL es_CR es_ES es_LA es_MX et et_EE eu fa fi fo fr fr_CA fy fy_NL ga ga_IE gl gu gu_IN he hi hi_IN hne hr hsb hu hy id is it ja ka kk km kn kn_IN ko ko_KR kok ks ku la lb lo lt lv mai mk ml ml_IN mn mni mr mr_IN ms mt my nb nb_NO nds ne nl nn nn_NO no nr ns nso oc or or_IN pa pa_IN pl pt pt_BR pt_PT rm ro ru rw sa_IN sat sd se sh sh_YU si sk sl sq sr sr@latin sr@Latn sr_CS ss st sv sv_SE sw sw_TZ ta ta_IN ta_LK te te_IN tg th ti_ER tk tl tn tr ts uk ur_IN ur_PK uz uz@cyrillic ve vi wa xh zh_CN zh_HK zh_TW zu" MAKEOPTS="-j3" PKGDIR="/var/cache/portage/packages" PORTAGE_COMPRESS="" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/cache/portage/ebuilds/gentoo" PORTDIR_OVERLAY="/var/cache/portage/ebuilds/gentoo-china /var/cache/portage/ebuilds/kde /var/cache/portage/ebuilds/gentoo-china /var/cache/portage/ebuilds/haskell /var/cache/portage/ebuilds/hardened-development /var/cache/portage/ebuilds/sunrise /var/cache/portage/ebuilds/oss-overlay /var/cache/portage/ebuilds/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi bash-completion berkdb bluetooth branding bzip2 cdr cli consolekit cracklib crypt cscope cups cxx dbus doc dri dts dvd dvdr encode faac fam ffmpeg flac gdbm gif gpm graphite gstreamer hal hardened hscolour iconv ipv6 jpeg jpeg2k kde latex ldap lzma mad mmx mmxext mng modules mp3 mp4 mpeg mplayer mudflap ncurses nls nptl nptlonly nsplugin ogg openexr opengl openmp oss pam pcre pdf perl pic png policykit ppds pppd python qt4 quicktime readline reflection samba sdl semantic-desktop session spell spl sse sse2 ssl startup-notification svg sysfs syslog tcpd theora tiff truetype unicode urandom v4l2 vim-syntax vorbis webkit win32codecs x264 x86 xcomposite xml xorg xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="zh_TW zh af am ar as as_IN ast az be be_BY bg bn bn_BD bn_IN bo br brx bs ca crh cs csb cy da de de_FR dgo dz el en en_CA en_GB en_US en_ZA eo es es_AR es_CL es_CR es_ES es_LA es_MX et et_EE eu fa fi fo fr fr_CA fy fy_NL ga ga_IE gl gu gu_IN he hi hi_IN hne hr hsb hu hy id is it ja ka kk km kn kn_IN ko ko_KR kok ks ku la lb lo lt lv mai mk ml ml_IN mn mni mr mr_IN ms mt my nb nb_NO nds ne nl nn nn_NO no nr ns nso oc or or_IN pa pa_IN pl pt pt_BR pt_PT rm ro ru rw sa_IN sat sd se sh sh_YU si sk sl sq sr sr@latin sr@Latn sr_CS ss st sv sv_SE sw sw_TZ ta ta_IN ta_LK te te_IN tg th ti_ER tk tl tn tr ts uk ur_IN ur_PK uz uz@cyrillic ve vi wa xh zh_CN zh_HK zh_TW zu" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
First of all, thanks for the robust report with a solution! The fix pushed to gentoo-haskell overlay for ghc-6.12.3 ebuild. We'll test is a little there and if things will go nice I'll push it to the tree. It will also require haddock to be marked as MPROTECT. Sorry, it took me a lot of time to actually install hardened. Some background on why we currently need this marking: GHCi uses it's own dynamic linker to load shared libraries which requires writing to the memory section and then executing it (the pattern PaX forbids as PAGEEXEC [1]). The issue could be solved upstream one day: http://hackage.haskell.org/trac/ghc/ticket/4244 [1] PAGEEXEC - http://pax.grsecurity.net/docs/pageexec.txt
Pushed pax NOMPROTECT marking for ghc-6.10.4-r1, ghc-6.12.3 and haddock-2*. Good news are: - I haven't experienced any problems rebuilding whole my haskell subworld against them - ghci mode works on hardened Thanks again, Hongjiu!
