Installing Xen gives QA warnings about executable stacks. Here is /var/tmp/portage/xen-3.0.2/temp/scanelf-execstack.log --- --- RWX work/xen-3.0.2/xen/xen !WX --- --- work/xen-3.0.2/xen/arch/x86/hvm/svm/x86_32/exits.o !WX --- --- work/xen-3.0.2/xen/arch/x86/hvm/svm/x86_32/built_in.o !WX --- --- work/xen-3.0.2/xen/arch/x86/hvm/vmx/x86_32/exits.o !WX --- --- work/xen-3.0.2/xen/arch/x86/hvm/vmx/x86_32/built_in.o !WX --- --- work/xen-3.0.2/xen/arch/x86/boot/x86_32.o !WX --- --- work/xen-3.0.2/xen/arch/x86/x86_32/entry.o !WX --- --- work/xen-3.0.2/xen/arch/x86/trampoline.o --- --- RWX work/xen-3.0.2/xen/xen-syms --- --- RWX image/boot/xen-syms-3.0.2 The attached patch fixes all except for image/boot/xen-syms-3.0.2, which I think should be installed as 755 anyway. The two relevant lines are: install -m0644 /var/tmp/portage/xen-3.0.2/work/xen-3.0.2/xen/xen-syms /var/tmp/portage/xen-3.0.2/image//boot/xen-syms-3.0.2 and the output of ls -l var/tmp/portage/xen-3.0.2/work/xen-3.0.2/xen/xen-syms -rwxr-xr-x 1 portage portage 2577677 2006-08-15 20:08 /var/tmp/portage/xen-3.0.2/work/xen-3.0.2/xen/xen-syms
Created attachment 94343 [details, diff] Fixes exec stacks in xen
Created attachment 97368 [details, diff] a more complete patch (including makefile) In the former patch the Makefile is still to be edited by hand. This patch includes a single line change in the Makefile to fix the file permissions for the symbol file.
I used the second patch (although I had to modify it first as it wouldn't apply). It has removed most of the exec stacks, but the following still remains. --- --- RWX boot/xen-syms-3.0.2 I tested the HVM capabilities using an XP install CD and it still appeared to work.
No need for the Makefile patch, as xen-syms-3.0.2 isn't meant to be executed - it's used only in conjunction with gdb and a xen core dump.
It also doesn't fix anything - scanelf still complains about exec-stacks in xen-syms.
(In reply to comment #5) > It also doesn't fix anything - scanelf still complains about exec-stacks in > xen-syms. > Yep. Same here. It would be great if someone knows a fix to this problem.
I spoke to spb in #gentoo-hardened and apparently there's no point addressing exec stacks in anything which is loaded prior to the kernel (eg. the xen hypervisor), since non-executable stacks won't be enforced anyway. Even with the GNU stack markings applied, there's still a writable/executable segment triggering a QA warning (or failure, if FEATURES=stricter), which I'd like to address by adding QA_WX_LOAD="boot/xen-syms-${XEN_VERSION/_/-}" to the ebuild. Since the GNU stack markings are apparently useless in this situation, I'd rather avoid them and keep things as close to vanilla upstream as possible. However, I need the agreement of QA before proceeding with the addition of QA_WX_LOAD, as per man 5 ebuild
this is correct ... if the code's role does not involve actually running under the linux kernel, then exec stack markings are meanlingless
The solution proposed in comment #7 should be applied when this package is next bumped - it's not big enough to warrant a bump on its own.
In addition to boot/xen-syms I am setting QA_WX_LOAD for usr/lib/xen/boot/hvmloader in the xen-tools ebuild. hvmloader is used to emulate the pc bios and bootstrap fully vurtualized kernels.
I should have closed this bug ages ago, resolving.
