Summary: | >=dev-lang/mono-2.4.2.3 ebuild failes on hardened linux | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jason Mattax <jmattax+gentoo> |
Component: | Current packages | Assignee: | dotnet project <dotnet> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened, kallamej, lejonet |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Emerge --info from my server
Real emerge --info from my server build.log from the server disable MPROTECT set -m on mono for PAX enable kernels |
Description
Jason Mattax
2009-09-24 18:03:25 UTC
Note that I was able to work around this issue by running watch paxctl -m /var/tmp/portage/dev-lang/mono-2.4.2.3/work/mono-2.4.2.3/mono/mini/mono in another terminal, since this attempts to change the PAX headers on the file every 2 seconds, it got there before the program was run on my system. If you use this kludge to install expect to see lots of messages telling you the file isn't there. I can confirm that this happens on x86 too. I got a server with x86 that is running on hardened-sources-2.6.29 kernel with grsec server profile. Get the same deny messages in kern.log as Jason Created attachment 207871 [details]
Emerge --info from my server
Comment on attachment 207871 [details]
Emerge --info from my server
Wrong machine
Created attachment 207873 [details]
Real emerge --info from my server
Sorry for wrong file before. This is from the actual machine that gets the compile error.
Created attachment 207875 [details]
build.log from the server
I've worked around this issue by adding this function to dev-lang/mono/mono-2.4.2.3.ebuild: src_compile() { make # this one will fail because of PaX error paxctl -m mono/mini/mono make # continue compilation } Do you get the same problem with latest mono-2.6? (In reply to comment #8) > Do you get the same problem with latest mono-2.6? > I can give it a shot again on both AMD64 and x86 hardened and report back. (In reply to comment #8) > Do you get the same problem with latest mono-2.6? > Yes. PAX: execution attempt in: <anonymous mapping>, 2031e000-2039a000 2031e000 PAX: terminating task: /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono(mono):23537, uid/euid: 250/250, PC: 2038a000, SP: 5cfcb41c PAX: bytes at PC: 55 89 e5 53 8b 45 08 0f a2 50 8b 45 10 89 18 8b 45 14 89 08 PAX: bytes at SP-4: 5cfcb488 10b727c3 00000001 5cfcb4b8 5cfcb4b4 5cfcb4b0 5cfcb4ac 2014bc8b c9db1d90 20187d14 00000001 2016cebe 5cfcb488 00000022 5cfcb4ac 5cfcb4b0 5cfcb4b4 5cfcb4b8 2031e360 2016cebe 5cfcb488 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono[mono:23537] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:23536] uid/euid:250/250 gid/egid:250/250 (In reply to comment #10) > (In reply to comment #8) > > Do you get the same problem with latest mono-2.6? > > > > Yes. > > PAX: execution attempt in: <anonymous mapping>, 2031e000-2039a000 2031e000 > PAX: terminating task: > /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono(mono):23537, > uid/euid: 250/250, PC: 2038a000, SP: 5cfcb41c > PAX: bytes at PC: 55 89 e5 53 8b 45 08 0f a2 50 8b 45 10 89 18 8b 45 14 89 08 > PAX: bytes at SP-4: 5cfcb488 10b727c3 00000001 5cfcb4b8 5cfcb4b4 5cfcb4b0 > 5cfcb4ac 2014bc8b c9db1d90 20187d14 00000001 2016cebe 5cfcb488 00000022 > 5cfcb4ac 5cfcb4b0 5cfcb4b4 5cfcb4b8 2031e360 2016cebe 5cfcb488 > grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against > limit 0 for > /var/tmp/portage/dev-lang/mono-2.6.4-r1/work/mono-2.6.4/mono/mini/mono[mono:23537] > uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:23536] > uid/euid:250/250 gid/egid:250/250 > I have only tested AMD64 hardened and it gets killed, mono-2.6.4 and my 32-bit chroot sortof fell apart due to me not maintaining it. I don't know much about hardened, maybe they will be able to suggest us the best way of handling this The main problem is that it use JIT (just-in-time) compilation and have some trampolines functions in the code. It get killed by MPROTECT. 1.Fix the code if that even posible. 2. Disable MPROTECT on that bin and lose the MPROTECT protection. Created attachment 240961 [details, diff]
disable MPROTECT
This ebuild patch disable MPROTECT on the mono binary
Created attachment 241045 [details, diff]
set -m on mono for PAX enable kernels
we don't need all the kernel PAX checks.
+ 07 Sep 2010; Pacho Ramos <pacho@gentoo.org> mono-2.6.7.ebuild, + metadata.xml: + Drop PDEPEND on pe-format (bug #333907 by Michał Górny), fix build on + hardened (bug #286280 by Jason Mattax and fix by Magnus Granberg) and + allow people to enable .NET 4.0 profile if they want (bug #326497 by Ron + MacNeil). |