Created attachment 298979 [details]
emerge --info

Created attachment 298981 [details]
eselect mesa list

Created attachment 298983 [details]
emerge -pve gnome-light

Created attachment 298985 [details]
dmesg for gnome-session

Created attachment 298987 [details]
dmesg for gnome-shell

Emerge and tested gnome-shell with 1 and 5 and still fails
 [1] x86_64-pc-linux-gnu-4.5.3 *
 [2] x86_64-pc-linux-gnu-4.5.3-hardenednopie
 [3] x86_64-pc-linux-gnu-4.5.3-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.5.3-hardenednossp
 [5] x86_64-pc-linux-gnu-4.5.3-vanilla

Comment 7 Alexandre Rostovtsev (RETIRED) 2012-01-15 13:34:18 UTC

First, please attach your ~/.xsession-errors file after the crash, it may contain useful information.

Second, this dmesg line
> grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/gnome-shell[gnome-shell:29431] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/xinit[xinit:29424] uid/euid:1000/1000 gid/egid:1000/1000
appears to indicate that your system is denying gnome-shell access to rwx memory that might be needed, for instance, for javascript jit (gnome-shell is largely written in javascript and uses mozilla's spidermonkey vm). That is almost certain to prevent gnome-shell from functioning properly, and might be the cause of your segfault.

Are there perhaps some special commands or configurations that are needed to allow rwx memory on hardened? (I frankly have no idea - neither I nor any of the other gentoo gnome team members run hardened systems.)

Executing

paxctl -m /usr/bin/gnome-shell 

gets rid of the libpthread error.  However, dmesg shows that are more tasks that PAX kills such as /usr/libexec/gnome-settings-daemon and it still doesn't load to the desktop environment within 5 sec.  I recompiled a kernel without grsecurity and pax and I can confirm that Gnome 3 works and loads quickly to the desktop, with code generated with pie and ssp gcc compiler.  I need recheck the pax markings on other files so Gnome 3 works properly with the hardened kernel.

Created attachment 299041 [details]
dmesg gnome-settings-daemon PAX termination

New error generated after paxctl -m /usr/bin/gnome-settings solves error in attachments 298985 and 298987

Okay I got the proper pax marking for the gnome-shell that it works normally with hardened kernel enabled grsecurity and pax enabled.  Executing

paxctl -z /usr/bin/gnome-shell    #restore defaults
paxctl -xemr /usr/bin/gnome-shell

fixes all the problems that I have been having.  Just disable RANDMMAP (-r) and disable MPROTECT (-m); xe were the original values.

Comment 11 Alexandre Rostovtsev (RETIRED) 2012-01-21 02:07:45 UTC

Orson, thank you for your investigation. The gnome-shell-3.2.2.1 ebuild that I have just added to portage should automatically call paxctl to disable RANDMMAP and MPROTECT for /usr/bin/gnome-shell. Please verify that this really works and that you can run gnome-shell without needing to manually paxctl it.

@hardened, if 'pax-mark mr "${ED}usr/bin/gnome-shell"' in src_install() is the wrong way to go about this, please say something.

>*gnome-shell-3.2.2.1 (21 Jan 2012)
>
>  21 Jan 2012; Alexandre Rostovtsev <tetromino@gentoo.org>
>  -gnome-shell-3.2.1-r1.ebuild, -gnome-shell-3.2.1-r2.ebuild,
>  -files/gnome-shell-3.2.1-messageTray-reduce-fade.patch,
>  -files/gnome-shell-3.2.1-theme-lighten-sent-message.patch,
>  +gnome-shell-3.2.2.1.ebuild:
>  Bump, fixes lots of crashes, rendering errrors, and memory leaks (in network
>  menu, notifications, workspace thumbnails, icons, etc.) Also, mark
>  gnome-shell executable to allow running under hardened/PaX (bug #398941,
>  thanks to Orson Teodoro). Drop old.

Yes the gnome-shell-3.2.2.1.ebuild properly applies the pax markings and gnome-shell works properly.

Comment 13 Alexandre Rostovtsev (RETIRED) 2012-01-25 08:45:42 UTC

The same change has also been applied to >=cinnamon-1.2, since it is a close fork of gnome-shell.