Summary: | dev-python/pypy USE=jit does no pax-marking | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | WANG Xuerui <xen0n> |
Component: | [OLD] Development | Assignee: | Nirbheek Chauhan (RETIRED) <nirbheek> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened, oleid, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Apply "pax-mark m" on the generated pypy executable |
Description
WANG Xuerui
2012-12-27 11:44:56 UTC
@hardened: Ok to add pax-mark m here? A pax related error, probably the same: emerge fails during the install phase of pypy on a hardened machine. Therefore I created a binary on a non-hardened gentoo and transfered the package to the very hardened box. Obviously installing works, yet running doesn't. A "memory error" is reported - the very same error due to which install fails. I had to manually run paxctl -pemrxs /usr/bin/pypy-c2.0 in order to get pypy to work, as mentioned in the gentoo hardened faq. (In reply to comment #2) > A pax related error, probably the same: > > emerge fails during the install phase of pypy on a hardened machine. > Therefore I created a binary on a non-hardened gentoo and transfered the > package to the very hardened box. Obviously installing works, yet running > doesn't. A "memory error" is reported - the very same error due to which > install fails. > > I had to manually run > > paxctl -pemrxs /usr/bin/pypy-c2.0 > > in order to get pypy to work, as mentioned in the gentoo hardened faq. Just checked the pypy ebuild for this installation problem, and yes the error is the same. In pypy-2.0_beta1.ebuild:103-110 the fresh PyPy binary is being executed for the pickles, which would immediately die with -EPERM the moment it tries to do JIT. PS: Actually only MPROTECT needs to be disabled for the executable, that is -m. In my case PyPy is used to run the development branch of a Django site, and I have not yet seen any breakage with all the other PaX features on. Created attachment 347738 [details, diff]
Apply "pax-mark m" on the generated pypy executable
Apply with patch -p5 < pypy-2.0_beta2.ebuild-pax-fix in /usr/portage/dev-python/pypy
+ 08 May 2013; Mike Gilbert <floppym@gentoo.org> pypy-2.0_beta2.ebuild: + Disable MPROTECT if jit is enabled, bug 448818. |