Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 365727

Summary: net-im/skype can be paxmarked
Product: Gentoo Linux Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: Current packagesAssignee: Matthew Thode ( prometheanfire ) <prometheanfire>
Status: RESOLVED FIXED    
Severity: normal CC: hardened
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 365825    
Bug Blocks:    

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-02 15:44:48 UTC 
Skype currently does not work on hardened gentoo because of MPROTECT and EMUTRMAP.  To get it to work I first created a flag on the binary via 'paxctl -C `which skype`' then 'paxctl -me `which skype`'.  The steps can probably be combined.

I can confrim that this works on net-im/skype-2.1.0.81 on amd64.

Reproducible: Always

Steps to Reproduce:
1. unmask skype
2. emerge skype
3. run skype
4. watch skype fail
5. paxmark skype
6. run skype
7. watch skype run
8. run skype run
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2011-05-02 15:55:19 UTC 
Not sure what and how you tested, but this has already been reported unworking...

*** This bug has been marked as a duplicate of bug 302589 ***
Comment 2 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2011-05-02 18:31:36 UTC 
Samuli, I don't think it is a duplicate although they are heavily related, looks like skype removed the integrity checking code somehow as it works well now. I think we should keep this one for the discussion regarding adding the pax marking on the ebuild.
Comment 3 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2011-05-02 18:37:08 UTC 
Assigning to the proper people I can also confirm this bug.
Comment 4 mori rĂ¡mar 2011-09-25 15:09:15 UTC 
I have used paxctl -Cm /opt/skype/skype for over 2 months and it works for me.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-09-26 20:11:23 UTC 
I use skype for over a year now on my hardened/SELinux/PaX-enabled system without problems. My skype.postinst contains "paxctl -Cme /opt/skype/skype", I'll test without the "-e" later.
Comment 6 Alex Efros 2012-02-11 07:50:45 UTC 
`paxctl -Cm /opt/skype/skype` works fine for me too on net-im/skype-2.2.0.35-r1, no needs in EMUTRAMP. ARCH x86.

Any chance this paxmarking will be added into ebuild, to let me drop /etc/portage/bashrc.d/net-im/skype.postinst hack? Current ebuild actually inherit pax-utils but doesn't use it.
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-02-11 20:53:19 UTC 
I'll see about working on this (was off my radar since it was opened before devship).
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-02-28 21:26:36 UTC 
it is net-im/skype-2.2.0.35-r1 in the tree, please test