470842 – dev-lang/orc: liborc-*.so* should be pax marked, pkg_postinst should suggest running revdep-pax

Bug 470842 - dev-lang/orc: liborc-*.so* should be pax marked, pkg_postinst should suggest running revdep-pax

Summary: dev-lang/orc: liborc-*.so* should be pax marked, pkg_postinst should suggest ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	GStreamer package maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-05-21 07:10 UTC by Nikoli
Modified:	2015-07-05 11:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nikoli 2013-05-21 07:10:24 UTC

dev-lang/orc is JIT, all bins that use it work only after 'paxctl-ng -m bin'. Best solution is too 'pax-mark m /usr/bin/orc-bugreport /usr/bin/orcc /usr/lib64/liborc*.so*' in ebuild and suggest running revdep-pax in pkg_postinst. See also bug #421579
You can use ati-drivers-13.4.ebuild as example.

How to reproduce problem, now avconv is not able to encode until pax marked:
$ avconv -i t.mkv -codec:v dirac -codec:a aac t1.mkv
avconv version 9.6, Copyright (c) 2000-2013 the Libav developers
  built on May 21 2013 02:48:54 with gcc 4.6.3 (Gentoo Hardened 4.6.3 p1.13, pie-0.5.2)
...
ORC: ERROR: orccodemem.c(285): orc_code_region_allocate_codemem(): Failed to create write and exec mmap regions.  This is probably because SELinux execmem check is enabled (good) and $TMPDIR and $HOME are mounted noexec (bad).
ORC: ERROR: orccodemem.c(148): orc_code_region_get_free_chunk(): assertion failed: 0
Аварийный останов

After 'paxctl-ng -m /usr/bin/avconv' encoding works fine.

Same with avplay:
$ avplay t1.mkv 
avplay version 9.6, Copyright (c) 2003-2013 the Libav developers
  built on May 21 2013 02:48:54 with gcc 4.6.3 (Gentoo Hardened 4.6.3 p1.13, pie-0.5.2)
ORC: ERROR: orccodemem.c(285): orc_code_region_allocate_codemem(): Failed to create write and exec mmap regions.  This is probably because SELinux execmem check is enabled (good) and $TMPDIR and $HOME are mounted noexec (bad).
ORC: ERROR: orccodemem.c(148): orc_code_region_get_free_chunk(): assertion failed: 0
Аварийный останов

Comment 1 Nikoli 2013-05-22 03:43:58 UTC

Also profiles/hardened/linux/make.defaults should have -schroedinger in USE.

Comment 2 Anthony Basile gentoo-dev

2014-10-17 21:23:29 UTC

(In reply to Nikoli from comment #0)
> dev-lang/orc is JIT, all bins that use it work only after 'paxctl-ng -m
> bin'. Best solution is too 'pax-mark m /usr/bin/orc-bugreport /usr/bin/orcc
> /usr/lib64/liborc*.so*' in ebuild and suggest running revdep-pax in
> pkg_postinst. See also bug #421579
> You can use ati-drivers-13.4.ebuild as example.
> 

Its easy enough to add the pax markings.  Just add src_install something like the following:

src_install() {
    default
    pax-mark m usr/bin/orc-bugreport
    pax-mark m usr/bin/orcc
    pax-mark m usr/$(get_libdir)/liborc*.so*
}

Then in pkg_postinst just do an if hardened to suggest running revdep-pax from the elfix package.

dev-lang/orc belongs to gstreamer so we'll see what they have to say.

Comment 3 Pacho Ramos gentoo-dev

2015-07-05 11:13:17 UTC

+*orc-0.4.24 (05 Jul 2015)
+
+  05 Jul 2015; Pacho Ramos <pacho@gentoo.org> +orc-0.4.24.ebuild,
+  -orc-0.4.19.ebuild, metadata.xml:
+  Version bump, pax marking is needed (#470842 by Nikoli and Anthony Basile),
+  drop old
+