The tests on "quasi-hardened" AMD64 2.6.20-r5 system (i.e. hardened kernel without userland) indicates that the build process stops at: # Subconfigure of BFD done # ------------------------ # checking size of long... 8 checking sizeof struct contblock... 16 checking for endian.h... yes checking endianness... little checking for sbrk... yes checking for randomized sbrk... yes checking for randomized brk remedy... after which there is no response. I had it running for two hours without any progress. Others verified on IRC that the build fails with more clear errors on "real" hardened systems. This sounds very much like the issues described in the bug 132873.
Created attachment 126260 [details] emerge --info
Created attachment 126262 [details] Build log for Axiom Complete emerge log.
Created attachment 126263 [details] emerge --info
Comment on attachment 126262 [details] Build log for Axiom I tried emerging the latest ~x86 version of axiom (version 3.9-r1) and it failed with the errors shown in the attached file.
Hi Jukka, Than main reason for this failure is the fact that gcl (which is used to compile axiom) does not work with hardened. For more info see bug #132873. Until this is fixed by the gcl people, axiom will probably be a no-go on a hardened system. Best, Markus
I have the same issue on a non-hardened system... Portage 2.1.5.4 (default-linux/amd64/2007.0/desktop, gcc-4.3.1-pre20080604, glibc-2.7-r2, 2.6.25-gentoo-r4 x86_64) ================================================================= System uname: 2.6.25-gentoo-r4 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ Timestamp of tree: Fri, 06 Jun 2008 13:18:01 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.62 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.25-r3 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-pipe -O2 -march=athlon64" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/4.0/env /usr/kde/4.0/share/config /usr/kde/4.0/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-pipe -O2 -march=athlon64" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/" LANG="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -Wl,--as-needed" LINGUAS="de" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/dirtyepic /usr/local/portage/layman/sunrise /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi alsa amd64 apache2 avahi bash-completion berkdb bluetooth cairo cdr cjk cli cracklib crypt cups dbus dri dvb dvd dvdr dvdread emboss encode evo fam ffmpeg firefox flac foomaticdb fortran gdbm gif gimp gpm gtk hal iconv ipod ipv6 isdnlog jpeg jpeg2k kde kdehiddenvisibility kerberos ldap lm_sensors mad midi mikmod mmx mmxext mp3 mp4 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly nsplugin ogg openal openexr opengl openmp pam pch pcre pdf perl php png ppds pppd python qt3 qt3support qt4 quicktime readline reflection ruby samba sasl sdl session speex spell spl sse sse2 ssl subversion svg tcpd tetex theora threads tiff truetype unicode usb vcd visualization vorbis x264 xcb xcomposite xinerama xml xorg xv xvid xvmc zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Trying to build sci-mathematics/axiom-200803
Issue still reproducable, even on non-hardened systems. Reassigning to maintainers
The issue (In reply to comment #6) > I have the same issue on a non-hardened system... axiom is a no-go on hardened due to gcl. However, since you don't use a hardened toolchain it should in principle work. Could you please post your emerge logs as well so I can make sure that this is not a different issue from the one reported. Thanks, Markus
Created attachment 158659 [details] build.log Also hangs after: checking for sbrk... yes checking for randomized sbrk... yes checking for randomized brk remedy...
(In reply to comment #10) > Created an attachment (id=158659) [edit] > build.log > > Also hangs after: > checking for sbrk... yes > checking for randomized sbrk... yes > checking for randomized brk remedy... > Yeah, I can confirm this problem on my dev-box as well. I am fairly certain that that's due to the 2.6.25 kernel's CONFIG_COMPAT_BRK option. Presumably, you have it disabled? Hence, a workaround might be to set CONFIG_COMPAT_BRK=y in your kernel config, and then recompile and re-install your kernel. In the long run, this is really something that needs to be addressed by the gcl folks. Please let me know if this workaround solves this issue for you. Best, Markus
You are correct: # CONFIG_COMPAT_BRK is not set Will check later whether enabling that solves the issue. Btw, I am using dev-lisp/clisp and not dev-lisp/gcl.
Unfortunately, axiom ships with its own customized gcl and building of the latter causes these issues. I'll have to recompile my kernel as well to look into this any further. Best, Markus
COMPAT_BRK only sets the default for /proc/sys/kernel/randomize_va_space: If this entry is 2, heap randomization will happen, if it is 0, it is does not happen. So I suggest that the ebuild should test the above file instead of the kernel configration. This has several advantages: 1. Users need not compile/boot another (less secure) kernel just to install axiom - they can just switch the state temporarily. 2. Users who have changed /proc/sys/kernel/randomize_va_space (although they have set COMPAT_BRK) will not run uninformed into this error. 3. No explicit kernel version testing is necessary: If /proc/sys/kernel/randomize_va_space does not exist, the kernel is not involved. Of course, the ebuild might even change automatically the state of /proc/sys/kernel/randomize_va_space temporarily during compilation, but I am not sure whether this corresponds to Gentoo's policy of what ebuilds should be allowed to do.
(In reply to comment #14) > COMPAT_BRK only sets the default for /proc/sys/kernel/randomize_va_space: > If this entry is 2, heap randomization will happen, if it is 0, it is does > not happen. > Hi Martin, Thank you very much for the great suggestion and I've just implemented it in the ebuild for axiom-200805. The correct choices for toggling brk randomization should be 2 and 1 I believe since a value of 0 would turn off all heap randomization which is not needed. Also, I think the ebuild should not mess with sysctl itself since an aborted emerge may leave a user's system in a less secure state which is not good. Thanks again for pointing this out. Best, Markus
> I've just implemented it in the ebuild for axiom-200805. Thanks a lot. > The correct choices for toggling brk randomization should be 2 and 1 I can confirm now that 1 is sufficient for axiom with hardened-sources-2.6.25-r2 on x86 and amd64 (after many hours of compilation: Some of these "running test file ..." (like tutchap2) need about 10 hours to compile with gcc-4.3.1 - I thought something is broken but finally they really finished.)
(In reply to comment #16) > I can confirm now that 1 is sufficient for axiom with > hardened-sources-2.6.25-r2 on x86 and amd64 That's great news! > (after many hours of compilation: Some of these "running test file ..." > (like tutchap2) need about 10 hours to compile with gcc-4.3.1 - I thought > something is broken but finally they really finished.) > Yeah, I really wish we could fold all of these tests into a separate "make test" facility, rather than going through all of them by default (the fact that the build system does not support parallel builds doesn't help either ;) ). Maybe I'll ping upstream to inquire if this would be possible. I guess this bug can then be closed? Thanks, Markus
hello. I _dont_ use hardened kernel, but axiom still breaks, saying : >>> Failed to emerge sci-mathematics/axiom-200805, Log file: >>> '/tmp/portage/sci-mathematics/axiom-200805/temp/build.log' >>> Jobs: 0 of 1 complete, 1 failed Load avg: 3.79, 2.60, 1.84 * Your kernel has brk randomization enabled. This will for your info.....
Seems to be fixed.
