Comment 1 Agostino Sarubbo 2010-12-01 14:31:01 UTC

paste entire build log, is always a good thing ;)

Comment 2 Pacho Ramos 2011-01-05 11:47:14 UTC

(In reply to comment #1)
> paste entire build log, is always a good thing ;)
> 

Please provide it (since I am also unable to reproduce)

Created attachment 259749 [details]
build.log

happens on my hardened x86 too. hardened amd64 works.

Portage 2.1.9.31 (hardened/linux/x86, gcc-4.5.2, glibc-2.12.2-r0, 2.6.36-hardened i686)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.36-hardened-i686-Intel-R-_Pentium-R-_4_CPU_3.20GHz-with-gentoo-2.0.1
Timestamp of tree: Thu, 13 Jan 2011 20:30:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.4.6, 2.5.4-r4, 2.6.6-r1, 2.7.1, 3.1.3
dev-util/cmake:      2.8.3-r1
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.6.8
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.4_p6-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.21
sys-devel/gcc:       4.4.5, 4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.4-r1
sys-devel/make:      3.82
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/maven-bin-3.0/conf /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://gentoo.tiscali.nl/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en de ru"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X X509 a52 aac aalib accessibility acl acpi alsa apache2 apm aspnet aspnet2 assistant autoipd avahi berkdb bluetooth bzip2 c++ cairo cdr cgi chm chroot clamav clamd cli colordiff consolekit cracklib crypt css ctype cups curl cxx cyrillic dbus deprecated device-mapper dga discouraged disk-partition divx dri dvb dvd dvdr dvdread dynamicplugin ebook ecc eds embedded emovix encode escreen esd examples exif expat extensions extra extras fam fame fbcon fbcondecor fbsplash ffmpeg flac fortran fts3 gajim gcj gd gdbm gdu geoip gif git glib glitz glut gmail gmp gmplayer gnome gnuplot gnutls gpg gphoto2 gpm gps graphics gsm gstreamer gtk h323 hal hardened hddtemp hfs httpd iconv idea idle idn ieee1394 ilbc imagemagick imap imlib inquisitio ipv6 isdn j2me jabber java java5 java6 javascript jce jingle jpeg jpeg2k kpathsea lcms libgcrypt libnotify lirc lm_sensors logitech-mouse lua lzo mad maildir matroska md5sum mdnsresponder-compat menubar mhash mime mjpeg mmx mmxext mng mod_irc mod_muc mod_pubsub modules mono moonlight motif mozdevelop moznocompose moznoirc moznomail mp3 mp4 mpd mpeg mplayer mudflap multiuser mysql nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh ncurses netmeeting networking networkmanager nls nptl nptlonly nsplugin nss ntlm oav objc offensive ofono ogg opengl openmp otr pae pam pcap pcre pcsc-lite pdf perl pic pink pipechan pkcs11 png policykit portage postfix pppd private-headers pulseaudio pygrub python qa qt3support qt4 quicktime rc5 rdesktop readline realmedia redland reflection reiserfs rss ruby samba sasl scanner screen sdl secure-delete semantic-desktop serial server session sip skey smartcard smime sms sockets spamassassin speedo speex spell sqlite sqlite3 srt sse sse2 ssl subversion svg swig sysfs sysvipc tcpd theora threads threadsafe tiff tk tordns trayicon truetype type1 unicode urandom usb userlocales v4l2 vcd vim vim-syntax vim-with-x visual vorbis wav web webdav webkit wifi win32codecs wma wmf wmp x264 x86 xanim xcomposite xinerama xml xorg xosd xpm xscreensaver xulrunner xv xvid zlib zrtp" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" FCDSL_CARDS="fcdsl" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de ru" LIRC_DEVICES="devinput inputlirc" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="ati radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 4 Pacho Ramos 2011-01-14 10:27:54 UTC

.

Comment 5 Pacho Ramos 2011-01-14 10:50:09 UTC

I don't have much idea about why is this failing in that situation (hardened and x86), maybe hardened team will know more :-/

Comment 6 Magnus Granberg 2011-01-15 15:13:25 UTC

try without -fomit-frame-pointer.
-fomit-frame-pointer mess with the PIE/PIC stuff sometimss.

Nope, can still reproduce it.

Comment 8 Pacho Ramos 2011-01-25 17:50:03 UTC

+*mono-2.8.2 (25 Jan 2011)
+
+  25 Jan 2011; Pacho Ramos <pacho@gentoo.org> -mono-2.8.1-r1.ebuild,
+  +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch:
+  Version bump, remove old testing and 9999 version since it's not really
+  maintained downstream.
+

Please try with it... but I am not sure why you are suffering this problem :-|

Comment 9 Anders Hellgren 2011-01-29 12:07:35 UTC

(In reply to comment #8)
> +*mono-2.8.2 (25 Jan 2011)
> +
> +  25 Jan 2011; Pacho Ramos <pacho@gentoo.org> -mono-2.8.1-r1.ebuild,
> +  +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch:
> +  Version bump, remove old testing and 9999 version since it's not really
> +  maintained downstream.
> +
> 
> Please try with it... but I am not sure why you are suffering this problem :-|
> 

Problem persists in 2.8.2-r1 in my 32bit chroot.

Comment 10 Pacho Ramos 2011-01-29 12:20:42 UTC

Also a hardened system? x86 or amd64?

Comment 11 Anders Hellgren 2011-01-29 12:25:46 UTC

(In reply to comment #10)
> Also a hardened system? x86 or amd64?
> 

Hardened. 32bit chroot for my (recently dead) athlon-xp.

Comment 12 Pacho Ramos 2011-01-29 12:27:58 UTC

Could you try to rebuild it with my USEs?

[ebuild   R   ] dev-lang/mono-2.8.2-r1  USE="-hardened -minimal -xen" 0 kB

Also downgrade CFLAGS to plain "-O2 -pipe"

Comment 13 Anders Hellgren 2011-01-29 13:20:24 UTC

Well, without the hardened use flag it gets killed on a hardened kernel, but hardened compiler on vanilla kernel works.

Comment 14 Pacho Ramos 2011-01-29 13:23:56 UTC

hardened USE flag is simply doing the following:

        if use hardened ; then
                ewarn "We are disabling MPROTECT on the mono binary."
                sed '/exec/ i\paxctl -m "$r/@mono_runtime@"' -i "${S}"/runtime/mono-wrapper.in
        fi

Comment 15 Anders Hellgren 2011-01-29 13:41:40 UTC

Yes, but mono is killed by a hardened kernel without that as can be seen in bug #286280.

Comment 16 Pacho Ramos 2011-01-29 15:08:09 UTC

(In reply to comment #13)
> Well, without the hardened use flag it gets killed on a hardened kernel, but
> hardened compiler on vanilla kernel works.
> 

Does compilation succeed when compiling on vanilla kernel without "hardened" USE flag then?

Comment 17 Anders Hellgren 2011-01-29 15:15:54 UTC

(In reply to comment #16)
> (In reply to comment #13)
> > Well, without the hardened use flag it gets killed on a hardened kernel, but
> > hardened compiler on vanilla kernel works.
> > 
> 
> Does compilation succeed when compiling on vanilla kernel without "hardened"
> USE flag then?
> 
Yes.

I am having the same issue on hardened x86 (core2).

Comment 19 Magnus Granberg 2011-01-30 22:03:22 UTC

Can some one test if change the paxctl sed
from paxctl -m
to paxctl -mr
if that fix it?

Comment 20 Magnus Granberg 2011-01-30 22:16:24 UTC

(In reply to comment #19)
> Can some one test if change the paxctl sed
> from paxctl -m
> to paxctl -mr
> if that fix it?
> 

the -r flag is pax RANDMMAP options

not that it was asked, but since i've been used to set
sysctl kernel.pax.softmode=1
to run certain mono apps for years, that doesn't help, just for your information

Actually, enabling softmode works, you have to disable the hardened use flag though. I have just successfully installed dev-lang/mono-2.8.2-r1 on a hardened x86 system by following these steps:
1. Enable softmode: echo 1 > /proc/sys/kernel/pax/softmode
2. Disable the hardened use flag on dev-lang/mono
3. emerge mono
4. Disable MPROTECT on the mono binary: paxctl -m /usr/bin/mono
5. Disable softmode: echo 0 > /proc/sys/kernel/pax/softmode

This is what I got in kernel log while (failed) emerging mono 2.8.2-r1:

2011-02-10_13:47:13.59106 kern.alert: grsec: Segmentation fault occurred at (nil) in /var/tmp/portage/dev-lang/mono-2.8.2-r1/work/mono-2.8.2/conftest[conftest:30575] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/dev-lang/mono-2.8.2-r1/work/mono-2.8.2/conftest[conftest:30573] uid/euid:250/250 gid/egid:250/250
2011-02-10_14:06:55.41006 kern.alert: grsec: Segmentation fault occurred at 15bc3364 in /var/tmp/portage/dev-lang/mono-2.8.2-r1/work/mono-2.8.2/mono/mini/mono[mono:27569] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:27568] uid/euid:250/250 gid/egid:250/250
2011-02-10_14:06:55.41214 kern.alert: grsec: Segmentation fault occurred at 15bc3364 in /var/tmp/portage/dev-lang/mono-2.8.2-r1/work/mono-2.8.2/mono/mini/mono[mono:27569] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[sh:27568] uid/euid:250/250 gid/egid:250/250

Probably this issue can be solved by adding few more 'paxctl' withing ebuild to switch off PaX for some intermediate binaries.

Comment 24 Pacho Ramos 2011-02-27 12:53:07 UTC

Please retry with 2.10

I'm having the same problem with 2.10 and 2.10.1. I've tried compiling using the instructions of comment #22 with no luck, and I've also tried with softmode disabled using the hardened USE flag, and that didn't work either. Then, on a whim, I tried softmode disabled and hardened disabled, and that didn't work either. I've tried every situation I can think of, and have had no success. However, 2.6 compiles just fine (which is what I'm currently using). I can attach logs of all of this as needed, but it'll look almost the same.

My emerge --info:

Portage 2.1.9.41 (hardened/linux/x86, gcc-4.5.2, glibc-2.13-r1, 2.6.37-hardened-r4 i686)
=================================================================
System uname: Linux-2.6.37-hardened-r4-i686-AMD_Athlon-tm-_XP_2500+-with-gentoo-2.0.1
Timestamp of tree: Tue, 01 Mar 2011 10:15:01 +0000
app-shells/bash:     4.1_p10
dev-lang/python:     2.7.1-r1
dev-util/cmake:      2.8.4
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.7.0
sys-apps/sandbox:    2.5
sys-devel/autoconf:  2.68
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.21
sys-devel/gcc:       4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.4-r1
sys-devel/make:      3.82
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer -msse -mmmx -m3dnow"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer -msse -mmmx -m3dnow"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.mirrors.tds.net/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ ftp://ftp.wallawalla.edu/pub/mirrors/ftp.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/openrc /var/lib/layman/php /var/lib/layman/dotnet /var/lib/layman/tante /var/lib/layman/poly-c /usr/local/portage"
SYNC="rsync://rsync26.us.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X acl bash-completion bzip2 cli cracklib crypt cxx dri gpm hardened iconv ipv6 jpeg jpeg2k mmx mmxext modules mudflap ncurses nls nptl nptlonly openmp pam pcre pic pppd readline session sse ssl sysfs tcpd truetype unicode urandom vhosts x86 xattr xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

(In reply to comment #23)
> Probably this issue can be solved by adding few more 'paxctl' withing ebuild to
> switch off PaX for some intermediate binaries.

No, sorry, this is wrong. I've tried all PaX flags, this doesn't helps (dev-lang/mono-2.10.1-r1).

Workaround from comment #22 works for me.

if you don't see PaX kill messages then it's probably not an MPROTECT issue per se. you should enable coredumping and when mono crashes, take a look at it in gdb and post the usual info (backtrace, reigsters, disasm, etc).

(In reply to comment #27)
> if you don't see PaX kill messages then it's probably not an MPROTECT issue per
> se. you should enable coredumping and when mono crashes, take a look at it in
> gdb and post the usual info (backtrace, reigsters, disasm, etc).

Yeah, it's not MPROTECT issue, but it's PaX issue.
Sorry, I've no experience in using gdb, so please post step-by-step instruction how to do all these things (enable coredump and use gdb), and I'll do it.

Comment 29 Anders Hellgren 2011-03-05 16:12:23 UTC

(In reply to comment #19)
> Can some one test if change the paxctl sed
> from paxctl -m
> to paxctl -mr
> if that fix it?
> 

mono-2.10.1-r1 installs in my 32bit hardened chroot with this change.

Comment 30 Pacho Ramos 2011-03-05 16:35:12 UTC

+  05 Mar 2011; Pacho Ramos <pacho@gentoo.org> mono-2.8.2-r1.ebuild,
+  mono-2.10.1-r1.ebuild:
+  Fix building on hardened (bug #347365 by onox). Thanks a lot to Anders
+  Hellgren and Magnus Granberg for their help.

(In reply to comment #28)
> Yeah, it's not MPROTECT issue, but it's PaX issue.

by the sound of it, it's more likely to be a mono/ASLR issue now ;).

> Sorry, I've no experience in using gdb, so please post step-by-step instruction
> how to do all these things (enable coredump and use gdb), and I'll do it.

basically, in your emerge shell you issue 'ulimit -c unlimited' to enable coredump generation then start the compilation. when it fails, you should find a coredump file in the build directory somewhere (usually named 'core' or 'core.pid'. you'll have to load it in gdb with 'gdb executable-name corefile-name' then issue a few commands such as 'bt' for backtrace, 'i r' for register context and 'x/8i $pc' for disasm around the crashing code.

(In reply to comment #30)
> +  05 Mar 2011; Pacho Ramos <pacho@gentoo.org> mono-2.8.2-r1.ebuild,
> +  mono-2.10.1-r1.ebuild:
> +  Fix building on hardened (bug #347365 by onox). Thanks a lot to Anders
> +  Hellgren and Magnus Granberg for their help.

please don't close this bug until the root cause for the ASLR incompatibility is found. it's very bad for security to disable basically all protection for mono.

Comment 33 Magnus Granberg 2011-03-06 01:30:14 UTC

(In reply to comment #32)
> (In reply to comment #30)
> > +  05 Mar 2011; Pacho Ramos <pacho@gentoo.org> mono-2.8.2-r1.ebuild,
> > +  mono-2.10.1-r1.ebuild:
> > +  Fix building on hardened (bug #347365 by onox). Thanks a lot to Anders
> > +  Hellgren and Magnus Granberg for their help.
> 
> please don't close this bug until the root cause for the ASLR incompatibility
> is found. it's very bad for security to disable basically all protection for
> mono.
> 
It fail with RANDMMAP on amd46 to and that bug is not closet #356737

Personally, I don't use a hardened kernel, but perhaps my old bug 220337 might be a bit helpful here.
Could somebody here see if the change I mentioned there would be helpful in this context ?

(In reply to comment #31)
> basically, in your emerge shell you issue 'ulimit -c unlimited' to enable
> coredump generation then start the compilation. when it fails, you should find
> a coredump file in the build directory somewhere (usually named 'core' or
> 'core.pid'. you'll have to load it in gdb with 'gdb executable-name

There no core file. And no 'core dumped' message on the screen.
I've tried both running emerge and manually repeating 'make' in build directory after emerge failed (just in case ulimit had no effect while emerge - different shells, different user accounts, etc.). I see 'grsec: Segmentation fault occurred' in kernel log, but no segfault mentioned in emerge/make output. I've tried to `find -type f -name 'core*'` both in top level build directory, / and /root/. AFAIR it's possible to intercept and manually handle SIGSEGV on application level, and I suppose mono do this and so prevent dumping core file.

I can still reproduce this with all of the suggested changes (or any combination thereof). I am still fully unable to build any version of mono newer than 2.6.

Comment 37 Pacho Ramos 2011-03-11 20:49:32 UTC

Open then a separate bug report with new build.log

Not sure if this is helpful, but when I encountered the original build error while upgrading to mono 2.10.x on hardened x86, I was able to merge mono successfully by temporarily switching to the vanilla version of gcc.

i.e. as root:

gcc-config i686-pc-linux-gnu-4.4.5-vanilla
source /etc/profile
emerge mono
gcc-config i686-pc-linux-gnu-4.4.5
source /etc/profile

From my (limited) testing, this seems to result in an operative mono install. (As in, it passes mono-test-install, a quick Hello World builds and runs while soft mode is disabled, and mono dependencies build successfully.)

Of course, this isn't optimal, as mono won't have any PaX/PIE/etc protections.

It is, however, better than a blocked world merge for systems that are not likely to use mono in situations where it could compromise system security i.e. a desktop PC that doesn't expose mod_mono/mono-using services to the outside world.