The 'hardened' use flag refers to the hardened tool chain and not to a pax hardened kernel. However all mono ebuilds use the flag as if referring to a hardened kernel. This should be corrected. There are a few approaches possible: 1) unconditionally DEPEND on sys-apps/paxctl and remove the "if use hardened" conditional when sed-ing runtime/mono-wrapper.in, 2) don't use paxctl and fall back on scanelf which is guaranteed to be on everyone's system by the profiles. Reproducible: Always
What scanelf command should we run to replace paxctl? Also, why don't we use another USE flag to run that command conditionally? Looks like it's only needed on hardened systems :-/
(In reply to comment #1) > What scanelf command should we run to replace paxctl? Also, why don't we use > another USE flag to run that command conditionally? Looks like it's only needed > on hardened systems :-/ 1) scanelf -Xx -z sets the flags. Currently the ebuild has paxctl -mr so you can replace that with scanelf -Xx -z mr It has the effect of turning off MPROTECT and RANDMMAP. (Test with paxctl -v to see that the flags are actually being changed.) Althernatively, just pull in paxctl since it is a very light weight dependency. 2) It should be safe to run paxctl or scanelf unconditionally. All gentoo binaries, whether hardened or not, have a PAX_FLAGS program header. You can verify this using readelf -l /bin/ls (or whatever bin/lib you like). This is so because of patch 63_all_binutils-2.20-pt-pax-flags-20090909.patch in sys-devel/binutils. On systems which are running pax enabled kernels, that header is read to see what protection to enforce/relax. On systems which are NOT running pax enabled kernels, that header is ignored, much like PT_NULL. The best practice gentoo wide would be to pax mark anything that might needs it, whether or not it is currently running under a pax hardened kernel, in case the user at some point decides to switch --- yes we have users that do that. Alternatively, you can introduce a local use flags "pax_kernel" and use it instead of "hardened" because, again, "hardened" refers to ssp, pie, FORTIFY_SOURCES=2 and is orthogonal to pax --- yes we have users that don't use "hardened" but use "pax_kernel" and vice versa. Hence the whole issues in the first place.
2.10.4 removed it I think...
(In reply to comment #3) > 2.10.4 removed it I think... It does, but you still need to unconditionally do pax markings, ie replace if use hardened ; then ewarn "We are disabling MPROTECT on the mono binary." sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i "${S}"/runtime/mono-wrapper.in fi with just sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i "${S}"/runtime/mono-wrapper.in The point being 1) hardened refers to toolchain hardening and this has nothing to do with the toolchain, so "use hardened" is wrong, 2) the pax markings are needed on pax enabled kernels that have mprotect, 3) pax marking binaries/libraries has no effect on vanilla systems because the PT_PAX program header, which is there on *all* gentoo binaries, will simply be ignored by the kernel and userland on vanilla. If you still feel uncomfortable pax marking unconditionally, then we are encouraging maintainers to us pax_kernel in stead of hardened, eg sys-fs/aufs3
+ 10 Sep 2011; Pacho Ramos <pacho@gentoo.org> mono-2.10.5.ebuild, metadata.xml: + Use and DEPEND on pax tools only when people wants to use mono on hardened + kernels (bug #375799 by Anthony Basile). +
