When building www-client/chromium-4.0.295.0 on a Gentoo Hardened box the build fails with error: export LD_LIBRARY_PATH=/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/lib.host:/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/lib.target:$LD_LIBRARY_PATH; cd v8/tools/gyp; mkdir -p /var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni; "/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot" "/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni/snapshot.cc" /bin/sh: line 1: 22008 Killed "/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot" "/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni/snapshot.cc" make: *** [out/Release/obj.target/geni/snapshot.cc] Error 137 * * ERROR: www-client/chromium-4.0.295.0 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 2248: Called die * The specific snippet of code: * emake -r V=1 chrome chrome_sandbox BUILDTYPE=Release rootdir="${S}" CC=$(tc-getCC) CXX=$(tc-getCXX) AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) || die "compilation failed" dmesg: [ 7175.553500] PAX: execution attempt in: <anonymous mapping>, 4b3f6000-4b497000 4b3f6000 [ 7175.553505] PAX: terminating task: /var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot(mksnapshot):22008, uid/euid: 0/0, PC: 4b4366c0, SP: b9e3da1c [ 7175.553512] PAX: bytes at PC: 55 8b ec 6a 02 6a 02 57 56 53 ff 35 94 aa 9b 1c 83 3d 9c aa [ 7175.553519] PAX: bytes at SP-4: [ 7175.553532] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot[mksnapshot:22008] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:22006] uid/euid:0/0 gid/egid:0/0 Reproducible: Always Steps to Reproduce: 1. emerge www-client/chromium-4.0.295.0 Actual Results: Pax kills mksnapshot which is built as part of the general build due to switching a executable bit. I have tried using paxctl to remove the restriction which does mean I can run that part by hand but then fails later. Expected Results: chromium builds. emerge --info Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-AMD_Athlon-tm-_Dual_Core_Processor_4850e-with-gentoo-1.12.13 Timestamp of tree: Fri, 22 Jan 2010 22:00:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.0_p35 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.qubenet.net/mirror/gentoo/ " LDFLAGS="-Wl,-O1" LINGUAS="en_GB en" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi alsa apache2 apm aspell bash-completion bittorrent bzip2 calendar cddb cdinstall cdparanoia cdr chroot clamav cli consolekit cracklib crypt css cups cvs cxx dbus dbx dedicated directfb dri dvd dvdr encode ffmpeg firefox fortran gdbm gif gimp glut gpm hardened hddtemp iconv java javascript jpeg jpeg2k kde latex log4j mad maildir mbox mhash midi mmx mmxext mng modules mp3 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly nsplugin offensive ogg opengl openmp pam pax pcre pdf perl php pic pie png pppd python qt3support quicktime raw rdesktop readline reflection samba sdl server session spell spl sql sse sse2 ssh ssl subversion svg svnserve sysfs tcpd tetex threads tidy tiff truetype udev unicode urandom vcd videos vim-syntax vnc vorbis webkit win32codecs wmf x264 x86 xine xml xorg xv xvid xvmc zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard joystick evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa nv nvidia v4l" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Damien, could you check if you can build the upstream v8 project http://code.google.com/p/v8/ from source on the hardened machine? If not, could you report the bug upstream to v8 and post the link here?
I did to build scons which was an unmet requirement then: svn checkout http://v8.googlecode.com/svn/trunk/ v8-read-only Checked out revision 3825 cd v8-read-only scons Build completed. I had to install scons (defined as requirement in the docs). Then I tried building: www-client/chromium-5.0.307.5 I get: export LD_LIBRARY_PATH=/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/lib.host:/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/lib.target:$LD_LIBRARY_PATH; cd v8/tools/gyp; mkdir -p /var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/obj.target/geni; "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/mksnapshot" "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/obj.target/geni/snapshot.cc" /bin/sh: line 1: 19428 Killed "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/mksnapshot" "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Release/obj.target/geni/snapshot.cc" make: *** [out/Release/obj.target/geni/snapshot.cc] Error 137 * ERROR: www-client/chromium-5.0.307.5 failed: * compilation failed * * Call stack: * ebuild.sh, line 54: Called src_compile * environment, line 2626: Called die * The specific snippet of code: * emake -r V=1 chrome chrome_sandbox BUILDTYPE=Release rootdir="${S}" CC=$(tc-getCC) CXX=$(tc-getCXX) AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) || die "compilation failed" It seems to be mksnapshot. If I paxctl -pemrxs then cd ../...../.. to the working directory and make the build continues but I get this: ... ... CXX(host) out/Debug/obj.host/v8_base/v8/src/ia32/register-allocator-ia32.o CXX(host) out/Debug/obj.host/v8_base/v8/src/ia32/stub-cache-ia32.o CXX(host) out/Debug/obj.host/v8_base/v8/src/ia32/virtual-frame-ia32.o CXX(host) out/Debug/obj.host/v8_base/v8/src/platform-linux.o CXX(host) out/Debug/obj.host/v8_base/v8/src/platform-posix.o AR+RANLIB(host) out/Debug/obj.host/v8/tools/gyp/libv8_base.a CXX(host) out/Debug/obj.host/mksnapshot/v8/src/mksnapshot.o LINK(host) out/Debug/mksnapshot ACTION v8_snapshot_run_mksnapshot out/Debug/obj.target/geni/snapshot.cc /bin/sh: line 1: 28432 Killed "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Debug/mksnapshot" "/var/tmp/portage/www-client/chromium-5.0.307.5/work/chromium-5.0.307.5/out/Debug/obj.target/geni/snapshot.cc" make: *** [out/Debug/obj.target/geni/snapshot.cc] Error 137
Sorry for the delay. Would it help if I tar+gz /var/tmp/ files?
No, please just report the problem upstream and post a link here.
http://code.google.com/p/v8/issues/detail?id=607
Thanks, I am now monitoring the upstream report. However, could you make sure all the relevant info is copied to the upstream report, not just linked?
Please leave bug open for hardened team to track.
chromium-4.* is not in portage anymore, but (judging from the comments) it seems this bug happens to newer versions as well. Thus, I suggest to remove the version number from the bug summary. Otherwise, people might think this bug should be closed because the version is too old.
Thanks for the report. I adjusted the ebuilds for chromium-9999 and chromium-5.0.371.0 and tested the fix on my (headless) hardened x86 system. If there are some problems that manifest after launching the browser on a hardened system, please open a new bug. In that case, please also post the paxctl or equivalent calls that fix the problem for you (if possible).
