Created attachment 384742 [details, diff] webkit-gtk-2.2.6.ebuild.patch webkit-gtk-2.4 introduced multi-process support and some binaries need to be pax-marked. This does not apply to -r200 ebuilds. For example I get these errors when I run Epiphany with flash plugin: [16348.784387] grsec: denied RWX mprotect of <anonymous mapping> by /usr/libexec/WebKitPluginProcess[WebKitPluginPro:3984] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 [16348.784403] PAX: execution attempt in: <anonymous mapping>, 31b4f000000-31b4f520000 31b4f000000 [16348.784407] PAX: terminating task: /usr/libexec/WebKitPluginProcess(WebKitPluginPro):3984, uid/euid: 1000/1000, PC: 0000031b4f508f45, SP: 000003b5b65ab638 [16348.784409] PAX: bytes at PC: 55 48 8b ec 48 83 ec 30 48 89 5d e0 4c 89 65 d8 48 8d 5d e8 [16348.784423] PAX: bytes at SP-8: 0000031b4f4a1890 0000031b567fecaf 48000000a4d3f4f1 000003b5b65ab660 000003b5b65ab6f0 0000031b567ffafa 0000031b4f2c0118 000003b5b65ab6f0 0000031b4f382100 0000031b567ff962 0000031b4f018000 Similar errors occurs with WebKitWebProces if webkit-gtk was compiled with jit.
(In reply to Alexander Tsoy from comment #0) > Created attachment 384742 [details, diff] [details, diff] > webkit-gtk-2.2.6.ebuild.patch Oops.. I made a patch against the wrong version of webkit-gtk. :)
Created attachment 384772 [details, diff] webkit-gtk-2.4.4.ebuild.patch
(In reply to Alexander Tsoy from comment #2) > Created attachment 384772 [details, diff] [details, diff] > webkit-gtk-2.4.4.ebuild.patch Why is it running pam-mark for WebKitPluginProcess unconditionally of "jit" USE flag?
(In reply to Pacho Ramos from comment #3) This process is intended to load and run plugins such as adobe-flash, java, etc. Thus it should be pax-marked unconditionally. It is similar to plugin-container in firefox.
OK, will probably commit it with 2.4.5 bump, but I am unsure if I will have time for it shortly :S Anyway, if any other dev has enough time for that feel free to go ahead without waiting for me (or even waiting for the bump if you don't want to spend its hours of compilation for both slots :S )
+*webkit-gtk-2.4.6 (04 Oct 2014) +*webkit-gtk-2.4.6-r200 (04 Oct 2014) + + 04 Oct 2014; Pacho Ramos <pacho@gentoo.org> +webkit-gtk-2.4.6-r200.ebuild, + +webkit-gtk-2.4.6.ebuild: + Version bump, pax-mark some more files (#522808 by Alexander Tsoy) +