Summary: | net-im/skype-1.1.0.20-r1 - skype.bin gets terminated by PaX with execution attempt | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel Seyffer <gentoo-bugs> |
Component: | Hardened | Assignee: | Gentoo Net-im project <net-im> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 130999 | ||
Bug Blocks: | |||
Attachments: | Relaxes mprotect() restrictions for PaX usage |
Description
Daniel Seyffer
2005-07-27 12:15:04 UTC
Created attachment 64456 [details, diff]
Relaxes mprotect() restrictions for PaX usage
net-im: the patch posted above adds a call to /sbin/chpax during installation of the binary to the 1.1.0.20-r1 ebuild, to relax PaX's mprotect() restrictions. Reassigning to package maintainer for action. We've avoided suggesting ebuild patches for packages that need PaX flag management, until someone bugs about it. This one is simple enough and is as ok as the java ebuilds for example, but in general adding calls to chpax/paxctl are not satisfactory for all users. For example the chpax method only works if the CONFIG_PAX_EI_PAX is enabled in the kernel. Work is ongoing on a more satisfactory way of managing PaX flags from within the hardened profile which will enable the hardened team to support this without having to badger package maintainers; once this reaches a satisfactory state ebuilds like this which just need permissions to be managed won't need any black magic. For the record; recent versions of Skype are built with a compiler that support GNU_STACK; hardened users preferring paxctl over chpax can now set the 'm' flag for it with '/sbin/paxctl -cm /opt/skype/skype.bin'. Fixed in 1.3 version |