This was removed from latest net-im/skype ebuild: # remove mprotect() restrictions for PaX usage - see Bug 100507 pax-mark m "${S}"/skype Because when it's present, Skype won't start anymore on non-hardened amd64 system, it only displays a error dialog box telling you to "Reinstall skype because it's corrupted." I guess this means Skype will no longer work on hardened, and it should be masked in the profiles.
Also, it will be the only skype left in Portage soon as bug 301924 is done.
Some feedback from hardened@ dev would be nice, I have no means to test this myself
Some random hardened people have had a go at this, and the only conclusion I have made is that skype has a tampering-protection that changing pax flags triggers. This results in skype being dead on hardened. This is in the end gengors call, but I think masking is the only option unless someone finds something we have missed.
Maybe workaround is just keep some older skype version in portage for hardened? net-im/skype-2.0.0.72 works for me just fine.
Reported upstream: https://developer.skype.com/jira/browse/SCL-616
(In reply to comment #4) > Maybe workaround is just keep some older skype version in portage for hardened? > net-im/skype-2.0.0.72 works for me just fine. > Can't be done, the distfile isn't available for download anymore. Upstream deleted it.
(In reply to comment #6) > Can't be done, the distfile isn't available for download anymore. Upstream > deleted it. And so what? I've it, many other people have it too. Why not keep it in portage mirrors too, even if upstream deleted it?
(In reply to comment #7) > (In reply to comment #6) > > Can't be done, the distfile isn't available for download anymore. Upstream > > deleted it. > > And so what? I've it, many other people have it too. Why not keep it in portage > mirrors too, even if upstream deleted it? > EULA says: "You will not sell, assign, rent, lease, distribute, export, import, act as an intermediary or provider, or otherwise grant rights to third parties with regard to the Skype Software or any part thereof. For the right to distribute you will have to agree to and meet with the Distribution Terms" Now, I'm not a lawyer nor I did put the mirror restriction there in the first place but it's not clear to me what these "Distribution Terms" they mean are, nor I am willing to find out because I don't care about supporting old version of binary-only software, it's pain enough as is.
Masked and closing.
(In reply to comment #9) > Masked and closing. > There are two solutions for this problem given by a skype developer: https://developer.skype.com/jira/browse/SCL-616 Does any one can be applied for this situation?
(In reply to comment #11) > There are two solutions for this problem given by a skype developer: > https://developer.skype.com/jira/browse/SCL-616 > Does any one can be applied for this situation? > What do you mean? All I see is "There are no comments yet on this issue."
(In reply to comment #11) > There are two solutions for this problem given by a skype developer: > https://developer.skype.com/jira/browse/SCL-616 > Does any one can be applied for this situation? I'm unable to see any changes of this ticket - there no comments from skype developers or they are hidden from non-developers. Can you copy&paste these solutions here?
Sorry, I think I misunderstand the clue.
upstream changed url for this bugreport: https://jira.skype.com/browse/SCL-616 still unresolved :(
Old versions here: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-im/skype/?hideattic=0 And new skype 2.2.0.5 was released today, even though the upstream bug is still unresolved, it might be worth to try "pax-mark m /path/to/skype" on the binary in the ebuild's src_install() like for example this ebuild still did: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-im/skype/skype-2.0.0.72.ebuild?hideattic=0&revision=1.3&view=markup
(In reply to comment #16) > And new skype 2.2.0.5 was released today, even though the upstream bug is still > unresolved, it might be worth to try "pax-mark m /path/to/skype" on the binary > in the ebuild's src_install() Without `chpax -m` it unable to run. With it, it show error 'binary file corrupted, please reinstall skype'. So, skype on hardened still doesn't work. P.S. Maybe this bug shouldn't be in 'resolved' state?
(In reply to comment #17) > Without `chpax -m` it unable to run. > With it, it show error 'binary file corrupted, please reinstall skype'. > > So, skype on hardened still doesn't work. It works "just use a supported kernel"™. chpax will change the elf in a bad way and this is a bad idea that's why paxctl is in place and why you shouldn't use legacy marking (and chpax) at all.
(In reply to comment #18) > It works "just use a supported kernel"™. It works "just use a gtalk"™. > chpax will change the elf in a bad way and this is a bad idea that's why paxctl > is in place and why you shouldn't use legacy marking (and chpax) at all. I've also tried `paxctl -c` + `paxctl -m` - nothing changed.
(In reply to comment #19) > (In reply to comment #18) > > It works "just use a supported kernel"™. > > It works "just use a gtalk"™. People doesn't likes Drepper jokes :P > > chpax will change the elf in a bad way and this is a bad idea that's why paxctl > > is in place and why you shouldn't use legacy marking (and chpax) at all. > > I've also tried `paxctl -c` + `paxctl -m` - nothing changed. Do you have TPE? TPE is known for giving issues with skype too. And an only paxctled binary shouldn't give any kind of corruption issue. Having your kernel config (PAX and TPE parts) would be very useful too.
(In reply to comment #20) > And an only paxctled binary shouldn't give any kind of corruption issue. Yes, yes, yes! I think so too! Sadly, but Skype doesn't agree with us. :( > Having your kernel config (PAX and TPE parts) would be very useful too. # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set # CONFIG_GRKERNSEC_HARDENED_SERVER is not set # CONFIG_GRKERNSEC_HARDENED_SERVER_NO_RBAC is not set # CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set # CONFIG_GRKERNSEC_HARDENED_WORKSTATION_NO_RBAC is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_VM86=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # CONFIG_GRKERNSEC_NO_RBAC=y CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y # CONFIG_GRKERNSEC_ROFS is not set CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set CONFIG_GRKERNSEC_AUDIT_PTRACE=y # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y # CONFIG_GRKERNSEC_TIME is not set CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_RWXMAP_LOG is not set # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y # CONFIG_GRKERNSEC_HARDEN_PTRACE is not set # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_BLACKHOLE=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # # PaX # CONFIG_ARCH_TRACK_EXEC_LIMIT=y CONFIG_PAX_ENABLE_PAE=y CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y # CONFIG_PAX_SEGMEXEC is not set # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y CONFIG_PAX_ELFRELOCS=y # CONFIG_PAX_KERNEXEC is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # # CONFIG_PAX_MEMORY_SANITIZE is not set # CONFIG_PAX_MEMORY_UDEREF is not set CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y # CONFIG_KEYS is not set CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set # CONFIG_SECURITY_NETWORK is not set # CONFIG_SECURITY_PATH is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_IMA is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_CRYPTO=y
Ok I can confirm that :( Seems like skype is somehow checking the binary integrity and adding the flags break the integroty checks. Only option is either disabling legacy pax marking (CONFIG_PAX_EI_PAX) so PaX isn't enabled for unmarked files (i.e. skype) or disabling the flags through a MAC system. And before anybody asks no I'm not going to try cracking the antitampering system.
*** Bug 365727 has been marked as a duplicate of this bug. ***
This has generated new discussion on Gentoo Hardened and I tried paxmarking the binary which turned out to work out as expected so I'm closing as FIXED
(In reply to comment #24) > This has generated new discussion on Gentoo Hardened and I tried paxmarking the > binary which turned out to work out as expected so I'm closing as FIXED Not sure what you mean, it's not fixed before the fix hits Portage. Note the paxmarking breaks non-hardened... unless that somehow magically fixed itself?
(In reply to comment #25) > (In reply to comment #24) > > This has generated new discussion on Gentoo Hardened and I tried paxmarking the > > binary which turned out to work out as expected so I'm closing as FIXED > > Not sure what you mean, it's not fixed before the fix hits Portage. Note the > paxmarking breaks non-hardened... unless that somehow magically fixed itself? It has :P Try it out and you'll see ;) Looks like the check was done by the code skype downloads.
(In reply to comment #26) > It has :P Try it out and you'll see ;) Looks like the check was done by the > code skype downloads. I've just re-emerge skype: # ACCEPT_KEYWORDS=~x86 emerge -av skype These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-im/skype-2.2.0.25 USE="-qt-static" 22,518 kB But nothing is changed. If it executed as-is - it's "Killed". If I do either chpax -m or paxctl -c && paxctl -m - it say "binary file corrupred, please reinstall skype".
(In reply to comment #27) > (In reply to comment #26) > > It has :P Try it out and you'll see ;) Looks like the check was done by the > > code skype downloads. > > I've just re-emerge skype: > > # ACCEPT_KEYWORDS=~x86 emerge -av skype > > These are the packages that would be merged, in order: > > Calculating dependencies... done! > [ebuild R ] net-im/skype-2.2.0.25 USE="-qt-static" 22,518 kB > > But nothing is changed. If it executed as-is - it's "Killed". If I do either > chpax -m or paxctl -c && paxctl -m - it say "binary file corrupred, please > reinstall skype". Try paxctl -C please
(In reply to comment #28) > Try paxctl -C please Wow. -C & -m really works, skype started, I've seen window with contacts list, it was connecting… then I think it connected and immediately crashed: *** glibc detected *** ./skype: malloc(): memory corruption: 0x9e846320 *** ======= Backtrace: ========= /lib/libc.so.6(+0x6b931)[0xa3842931] /lib/libc.so.6(+0x6e75d)[0xa384575d] /lib/libc.so.6(__libc_malloc+0x5c)[0xa384736c] /usr/lib/gcc/i686-pc-linux-gnu/4.4.5/libstdc++.so.6(_Znwj+0x32)[0xa3a2cd22] /usr/lib/gcc/i686-pc-linux-gnu/4.4.5/libstdc++.so.6(_Znaj+0x29)[0xa3a2ce89] ./skype[0x898cfcb] ======= Memory map: ======== 08047000-09419000 rwxp 00000000 08:06 5457768 /opt/skype/skype 09419000-094a7000 rw-p 013d1000 08:06 5457768 /opt/skype/skype 094a7000-09b36000 rw-p 00000000 00:00 0 [heap] 99900000-999bd000 rw-p 00000000 00:00 0 999bd000-99a00000 ---p 00000000 00:00 0 99b00000-99bce000 rw-p 00000000 00:00 0 99bce000-99c00000 ---p 00000000 00:00 0 99cfe000-99cff000 ---p 00000000 00:00 0 99cff000-9a4ff000 rwxp 00000000 00:00 0 9a4ff000-9a500000 ---p 00000000 00:00 0 9a500000-9ad00000 rwxp 00000000 00:00 0 9b900000-9b9fe000 rw-p 00000000 00:00 0 9b9fe000-9ba00000 ---p 00000000 00:00 0 9bb00000-9bbfe000 rw-p 00000000 00:00 0 9bbfe000-9bc00000 ---p 00000000 00:00 0 9c500000-9c5fe000 rw-p 00000000 00:00 0 9c5fe000-9c600000 ---p 00000000 00:00 0 9c600000-9c6fe000 rw-p 00000000 00:00 0 9c6fe000-9c700000 ---p 00000000 00:00 0 9c700000-9c7fe000 rw-p 00000000 00:00 0 9c7fe000-9c800000 ---p 00000000 00:00 0 9c800000-9c8fe000 rw-p 00000000 00:00 0 9c8fe000-9c900000 ---p 00000000 00:00 0 9c900000-9c9fe000 rw-p 00000000 00:00 0 9c9fe000-9ca00000 ---p 00000000 00:00 0 9ca00000-9cafe000 rw-p 00000000 00:00 0 9cafe000-9cb00000 ---p 00000000 00:00 0 9cb00000-9cbfe000 rw-p 00000000 00:00 0 9cbfe000-9cc00000 ---p 00000000 00:00 0 9cd00000-9cdfe000 rw-p 00000000 00:00 0 9cdfe000-9ce00000 ---p 00000000 00:00 0 9ceff000-9cf00000 ---p 00000000 00:00 0 9cf00000-9d700000 rwxp 00000000 00:00 0 9d700000-9d7fe000 rw-p 00000000 00:00 0 9d7fe000-9d800000 ---p 00000000 00:00 0 9d900000-9d9fe000 rw-p 00000000 00:00 0 9d9fe000-9da00000 ---p 00000000 00:00 0 9da00000-9dafe000 rw-p 00000000 00:00 0 9dafe000-9db00000 ---p 00000000 00:00 0 9db00000-9dbfe000 rw-p 00000000 00:00 0 9dbfe000-9dc00000 ---p 00000000 00:00 0 9dc00000-9dcfe000 rw-p 00000000 00:00 0 9dcfe000-9dd00000 ---p 00000000 00:00 0 9dd00000-9ddfe000 rw-p 00000000 00:00 0 9ddfe000-9de00000 ---p 00000000 00:00 0 9df00000-9dffe000 rw-p 00000000 00:00 0 9dffe000-9e000000 ---p 00000000 00:00 0 9e07f000-9e080000 ---p 00000000 00:00 0 9e080000-9e100000 rwxp 00000000 00:00 0 9e300000-9e3e9000 rw-p 00000000 00:00 0 9e3e9000-9e400000 ---p 00000000 00:00 0 9e500000-9e5e5000 rw-p 00000000 00:00 0 9e5e5000-9e600000 ---p 00000000 00:00 0 9e600000-9e6e6000 rw-p 00000000 00:00 0 9e6e6000-9e700000 ---p 00000000 00:00 0 9e800000-9e8e5000 rw-p 00000000 00:00 0 9e8e5000-9e900000 ---p 00000000 00:00 0 9ea00000-9eae6000 rw-p 00000000 00:00 0 9eae6000-9eb00000 ---p 00000000 00:00 0 9ec00000-9ece6000 rw-p 00000000 00:00 0 9ece6000-9ed00000 ---p 00000000 00:00 0 9ee00000-9eee5000 rw-p 00000000 00:00 0 9eee5000-9ef00000 ---p 00000000 00:00 0 9f000000-9f0e6000 rw-p 00000000 00:00 0 9f0e6000-9f100000 ---p 00000000 00:00 0 9f17f000-9f180000 ---p 00000000 00:00 0 9f180000-9f200000 rwxp 00000000 00:00 0 9f200000-9f2ed000 rw-p 00000000 00:00 0 9f2ed000-9f300000 ---p 00000000 00:00 0 9f37f000-9f380000 ---p 00000000 00:00 0 9f380000-9f400000 rwxp 00000000 00:00 0 9f400000-9f500000 rw-p 00000000 00:00 0 9f501000-9f57e000 rw-p 00000000 00:00 0 9f57e000-9f57f000 ---p 00000000 00:00 0 9f57f000-9f5ff000 rwxp 00000000 00:00 0 9f5ff000-9f600000 ---p 00000000 00:00 0 9f600000-a1600000 rwxp 00000000 00:00 0 a1600000-a16a6000 rw-p 00000000 00:00 0 a16a6000-a1700000 ---p 00000000 00:00 0 a174c000-a174d000 ---p 00000000 00:00 0 a174d000-a1f4d000 rwxp 00000000 00:00 0 a1f4d000-a1f4e000 ---p 00000000 00:00 0 a1f4e000-a274e000 rwxp 00000000 00:00 0 a274e000-a274f000 ---p 00000000 00:00 0 a274f000-a27cf000 rwxp 00000000 00:00 0 a27cf000-a27d0000 ---p 00000000 00:00 0 a27d0000-a2850000 rwxp 00000000 00:00 0 a2850000-a2851000 ---p 00000000 00:00 0 a2851000-a28d1000 rwxp 00000000 00:00 0 a28d1000-a28d2000 ---p 00000000 00:00 0 a28d2000-a2952000 rwxp 00000000 00:00 0 a2952000-a29ed000 r--p 00000000 08:06 5530777 /usr/share/fonts/dejavu/DejaVuSans-Bold.ttf a29ed000-a2a94000 r--p 00000000 08:06 5530803 /usr/share/fonts/dejavu/DejaVuSans.ttf a2a94000-a2af6000 r-xp 00000000 08:06 24584 /usr/lib/libtiff.so.3.9.4 a2af6000-a2af8000 r--p 00061000 08:06 24584 /usr/lib/libtiff.so.3.9.4 a2af8000-a2af9000 rw-p 00063000 08:06 24584 /usr/lib/libtiff.so.3.9.4 a2af9000-a2b51000 r-xp 00000000 08:06 6103142 /usr/lib/qt4/libQtSvg.so.4.6.3 a2b51000-a2b53000 r--p 00057000 08:06 6103142 /usr/lib/qt4/libQtSvg.so.4.6.3 a2b53000-a2b54000 rw-p 00059000 08:06 6103142 /usr/lib/qt4/libQtSvg.so.4.6.3 a2b54000-a2bba000 r-xp 00000000 08:06 5735299 /usr/lib/libmng.so.1.0.0 a2bba000-a2bbd000 r--p 00065000 08:06 5735299 /usr/lib/libmng.so.1.0.0 a2bbd000-a2bbe000 rw-p 00068000 08:06 5735299 /usr/lib/libmng.so.1.0.0 a2bd1000-a2bd2000 rw-p 00000000 00:00 0 a2bd2000-a2bd7000 rw-s 00000000 00:0b 1094 /dev/snd/pcmC0D0p a2bd7000-a2bdc000 rw-s 00000000 00:0b 1094 /dev/snd/pcmC0D0p a2bdc000-a2c19000 r-xp 00000000 08:06 5538056 /usr/lib/libjpeg.so.8.0.2 a2c19000-a2c1a000 r--p 0003d000 08:06 5538056 /usr/lib/libjpeg.so.8.0.2 a2c1a000-a2c1b000 rw-p 0003e000 08:06 5538056 /usr/lib/libjpeg.so.8.0.2 a2c1b000-a2c20000 rw-s 00000000 00:0b 1094 /dev/snd/pcmC0D0p a2c20000-a2c25000 rw-s 00000000 00:0b 1094 /dev/snd/pcmC0D0p a2c25000-a2c26000 rw-s 81000000 00:0b 1094 /dev/snd/pcmC0D0p a2c26000-a2c27000 r--s 80000000 00:0b 1094 /dev/snd/pcmC0D0p a2c27000-a2c28000 rw-s 81000000 00:0b 1094 /dev/snd/pcmC0D0p a2c28000-a2c29000 r--s 80000000 00:0b 1094 /dev/snd/pcmC0D0p a2c29000-a2c30000 r-xp 00000000 08:06 6276033 /usr/lib/qt4/plugins/imageformats/libqtiff.so a2c30000-a2c31000 r--p 00006000 08:06 6276033 /usr/lib/qt4/plugins/imageformats/libqtiff.so a2c31000-a2c32000 rw-p 00007000 08:06 6276033 /usr/lib/qt4/plugins/imageformats/libqtiff.so a2c32000-a2c37000 r-xp 00000000 08:06 6276806 /usr/lib/qt4/plugins/imageformats/libqmng.so a2c37000-a2c38000 r--p 00005000 08:06 6276806 /usr/lib/qt4/plugins/imageformats/libqmng.so a2c38000-a2c39000 rw-p 00006000 08:06 6276806 /usr/lib/qt4/plugins/imageformats/libqmng.so a2c39000-a2c59000 r--p 00000000 08:06 5457975 /opt/skype/lang/skype_ru.qm a2c59000-a2c5a000 ---p 00000000 00:00 0 a2c5a000-a2cda000 rwxp 00000000 00:00 0 a2cda000-a2cdb000 ---p 00000000 00:00 0 a2cdb000-a2d5b000 rwxp 00000000 00:00 0 a2d5b000-a2d68000 r-xp 00000000 08:06 5669319 /usr/lib/libXi.so.6.1.0 a2d68000-a2d69000 r--p 0000d000 08:06 5669319 /usr/lib/libXi.so.6.1.0 a2d69000-a2d6a000 rw-p 0000e000 08:06 5669319 /usr/lib/libXi.so.6.1.0 a2d6a000-a2d6e000 r-xp 00000000 08:06 5546333 /usr/lib/libXfixes.so.3.1.0 a2d6e000-a2d6f000 r--p 00003000 08:06 5546333 /usr/lib/libXfixes.so.3.1.0 a2d6f000-a2d70000 rw-p 00004000 08:06 5546333 /usr/lib/libXfixes.so.3.1.0 a2d70000-a2d71000 rw-s 81000000 00:0b 1094 /dev/snd/pcmC0D0p a2d71000-a2d72000 r--s 80000000 00:0b 1094 /dev/snd/pcmC0D0p a2d72000-a2d7a000 r-xp 00000000 08:06 6276039 /usr/lib/qt4/plugins/imageformats/libqjpeg.so a2d7a000-a2d7b000 r--p 00007000 08:06 6276039 /usr/lib/qt4/plugins/imageformats/libqjpeg.so a2d7b000-a2d7c000 rw-p 00008000 08:06 6276039 /usr/lib/qt4/plugins/imageformats/libqjpeg.so a2d7c000-a2d83000 r-xp 00000000 08:06 6276040 /usr/lib/qt4/plugins/imageformats/libqico.so a2d83000-a2d84000 r--p 00006000 08:06 6276040 /usr/lib/qt4/plugins/imageformats/libqico.so a2d84000-a2d85000 rw-p 00007000 08:06 6276040 /usr/lib/qt4/plugins/imageformats/libqico.so a2d85000-a2d8b000 r-xp 00000000 08:06 6276031 /usr/lib/qt4/plugins/imageformats/libqgif.so a2d8b000-a2d8c000 ---p 00006000 08:06 6276031 /usr/lib/qt4/plugins/imageformats/libqgif.so a2d8c000-a2d8d000 r--p 00006000 08:06 6276031 /usr/lib/qt4/plugins/imageformats/libqgif.so a2d8d000-a2d8e000 rw-p 00007000 08:06 6276031 /usr/lib/qt4/plugins/imageformats/libqgif.so a2d8e000-a2db9000 r--p 00000000 08:06 6129535 /usr/share/locale/ru/LC_MESSAGES/libc.mo a2db9000-a2dbf000 r--s 00000000 08:06 5187694 /var/cache/fontconfig/87f5e051180a7a75f16eb6fe7dbd3749-le32d4.cache- But I suppose this is another issue.
(In reply to comment #29) > Wow. -C & -m really works, skype started, I've seen window with contacts list, > it was connecting… then I think it connected and immediately crashed: 2.1.0.81 works just fine.
(In reply to comment #29) > (In reply to comment #28) > > Try paxctl -C please > > Wow. -C & -m really works, skype started, I've seen window with contacts list, > it was connecting… then I think it connected and immediately crashed: Did you enable trampolines?
(In reply to comment #31) > Did you enable trampolines? # zgrep TRAMP /proc/config.gz CONFIG_X86_TRAMPOLINE=y # CONFIG_PAX_EMUTRAMP is not set
(In reply to comment #32) > (In reply to comment #31) > > Did you enable trampolines? > > # zgrep TRAMP /proc/config.gz > CONFIG_X86_TRAMPOLINE=y > # CONFIG_PAX_EMUTRAMP is not set Mind trying enabling it and setting it with paxctl? Also if it keeps failing try with static libs ;)
(In reply to comment #33) > Mind trying enabling it and setting it with paxctl? Not really, because I've no idea about what is it. And according to kernel help, it's better to keep switched off. And no other app on my workstation need it. And there was no hints in kernel log about this. And skype-2.1.0.81 works without it just fine too. But, you was right. Enabling CONFIG_PAX_EMUTRAMP fixed that crash with skype-2.2.0.25, so it now works too. But this is black magic beyond good and evil - how the hell I can guess I need it?! How about adding few ewarn hint to skype ebuild for other stupid people like me? :-) Also, having paxmarking in ebuild would be nice to have too.
(In reply to comment #34) > (In reply to comment #33) > > Mind trying enabling it and setting it with paxctl? > > Not really, because I've no idea about what is it. And according to kernel > help, it's better to keep switched off. And no other app on my workstation need > it. And there was no hints in kernel log about this. And skype-2.1.0.81 works > without it just fine too. So long trampoline emulation is disabled by default you should be nice. Trampolines are small sets of executable code added on the stack to access variables on nested functions and so. It is dirty as hell but as always, it works. > But, you was right. Enabling CONFIG_PAX_EMUTRAMP fixed that crash with > skype-2.2.0.25, so it now works too. But this is black magic beyond good and > evil MWAHAHAHAHAHAHA FEAR THE POWER OF GENTOO HARDENED MERE MORTAL! :P > how the hell I can guess I need it?! I guessed by some references coming from other users on #gentoo-hardened, as I don't need it, maybe you are using x86? > How about adding few ewarn hint to > skype ebuild for other stupid people like me? :-) Also, having paxmarking in > ebuild would be nice to have too. I'm ok with adding the ewarns. Regarding marking this is still being discussed as skype (in this case) is a clear example of application having issues with chpax, so markings cant be added that easily. @Hardened maybe I should add a reference to all this in the FAQ?
(In reply to comment #35) > MWAHAHAHAHAHAHA FEAR THE POWER OF GENTOO HARDENED MERE MORTAL! :P ;-) > I guessed by some references coming from other users on #gentoo-hardened, as I > don't need it, maybe you are using x86? Yes.
i don't see how trampolines have anything to do with the second issue reported here, skype works for me without it. maybe because i'm on gcc 4.5.x and its libstdc++, and that plays a role here...?
Created attachment 273119 [details] own ebuild I tested paxctl -Cm /opt/skype/skype and it works. But not sure that why it is still set as UPSTREAM, maybe we should reopen it. Before the packages were unmasked, I hope the ebuild can help. Just add a line: pax-mark Cm ${ED}/opt/skype/skype
Thanks for the ebuild, Mori! Could I request that this bug be reopened until "pax-mark Cm" is added to the ebuild please? Those flags make Skype run fine for me on amd64 hardened.
I added it to the ebuild for skype-2.2.0.35-r1.
Ah indeed, just recently too, I should have checked first. Thanks.
(In reply to comment #40) > I added it to the ebuild for skype-2.2.0.35-r1. uhm, didn't we establish that these self-checks cannot be fixed by paxctl and the xattr method is the right way of handling skype?
It used to be the case (that skype checked itself), but now it doesn't seem to.
(In reply to comment #43) > It used to be the case (that skype checked itself), but now it doesn't seem > to. It does check itself. After paxctl -cm or chpax -m it will refuse to run because of changed binary. But paxctl -Cm works just fine.
Hello, I have 2.2.0.35-r1 with qt-static flag in my hardened amd64 multilib laptop, and it works fine. Recently I tried upgrading to the new Skype 4.0.0.7-r2 version with qt-static flag set. When doing the pax-marking it fails with this error: file skype is not a valid ELF executable (invalid PT_ entry:6) Tried paxctl -Cm and -c too. I downloaded the non-static version from upstream, and Pax-marking the binary works fine, though I didn't test to run skype since I don't have QT on my system, and I'm not planning to install it either. Regards, Portage 2.1.10.49 (hardened/linux/amd64, gcc-4.5.3, glibc-2.14.1-r3, 3.4.2-hardened-glentoo x86_64) ================================================================= System uname: Linux-3.4.2-hardened-glentoo-x86_64-Intel-R-_Core-TM-_i3_CPU_M_370_@_2.40GHz-with-gentoo-2.1 Timestamp of tree: Fri, 15 Jun 2012 17:00:01 +0000 ccache version 3.1.7 [disabled] app-shells/bash: 4.2_p20 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.7-r5 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.10.3 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.6 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r3 Repositories: gentoo glentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=core2 -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=core2 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--autounmask-write" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://gentoo.localhost.net.ar/ ftp://mirrors.localhost.net.ar/pub/mirrors/gentoo/" LANG="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en es" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X aac acl acpi alsa amd64 bash-completion berkdb branding bzip2 cdr cli consolekit cracklib crypt cups cxx dbus device-mapperi dhcpcd dri dvd dvdr ffmpeg flac gdbm gnome gnome-keyring gpm gstreamer gtk hardened iconv jack jpeg jpeg2k justify libnotify libv4l mms mmx modules mp3 mpeg mudflap multilib nautilus ncurses networkmanager nls nptl nsplugin ogg opengl openmp pam pax_kernel pcre png policykit pppd pulseaudio readline session sse sse2 sse4a ssl ssse3 syslog tcpd threads udev unicode urandom v4l xinerama xorg zlib" ALSA_CARDS="hda_intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en es" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
(In reply to comment #45) > file skype is not a valid ELF executable (invalid PT_ entry:6) it's skype's toolchain that produces an invalid ELF file and the strict checks in paxctl catch it.
