When emerging sun-jdk under a hardened profile with pax activated in the kernel, pax flags are set to conservative values. However java doesn't start. Reproducible: Always Steps to Reproduce: 1. Emerge sun-jdk 2. Try to start java : java -version Actual Results: It fails. Expected Results: Should print java version. Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.7-hardened-r7) ================================================================= System uname: 2.6.7-hardened-r7 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -mcpu=i686 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="ftp://gentoo.risq.qc.ca http://gentoo.mirrored.ca http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" USE="apache2 berkdb crypt dlloader gdbm gpm hardened imap java javamail jce jikes jpeg libwww maildir mysql ncurses nls pam perl pic pie png python readline ssl tcpd vhosts webdav x86 xml xml2 zlib"
To fix the problem, I've also disabled "mmap() base" option : ----[ chpax 0.6.1 : Current flags for /opt/sun-jdk-1.4.2.06/bin/java (pemrxs) ]---- * Paging based PAGE_EXEC : disabled * Trampolines : not emulated * mprotect() : not restricted * mmap() base : not randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : disabled These are the flags that makes java working. The fix is to add the "r" options to CHPAX_CONSERVATIVE_FLAGS in sun-jdk ebuilds : CHPAX_CONSERVATIVE_FLAGS="pemrsv"
hardened does not maintain java. java@ maintains java. The flags seem reasonable
added