| Summary: | binaries from dev-java/sun-jdk should be pax-marked -pmrs | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Nicolas Litchinko <nicolas> |
| Component: | New packages | Assignee: | Java team <java> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hardened |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxjava | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Yeah it was changed in a patch by our hardened folks when switching to an eclass to mark the files: https://bugs.gentoo.org/attachment.cgi?id=103184 Hardened folks are saying that -m is only good for >=1.5 to to changing 1.4 back to -srpm leaving newer versions alone. Thanks for reporting and please reopen if you still have issues with -r2. |
Hi, When the dev-java/sun-jdk ebuild was migrated to the pax-utils eclass, it suddenly started to paxctl -m the binaries instead of -pemrs. It's still the case with sun-jdk-1.4.2.13 if you have chpax installed but chpax is deprecated. I noticed that something was wrong with java when I tried to build eclipse on a fresh hardened system. The jvm was immediately killed by PaX. I used paxctl -pmrs /opt/sun-jdk-1.4.2.13/{,jre}/bin/* and then I was able to build eclipse successfully. Considering java needs these permissions by design, it would help if the "pmrs" permissions were granted directly by the ebuild. Should the -m flag alone be enough? Thank you in advance