When spidermonkey does not use JIT, no PaX marking is necessary.
Most likely hardened team will be interested, avoiding unnecessary pax marking improves security.
Perhaps the previous trivial if/else conditional for handling the issue was deemed too complex to maintain (see referenced bug #444446 for illustration).
If you re-emerge spidermonkey with jit, then polkitd need to be marked. How will it get those markings?
There are 3 solutions: 1) pax mark /usr/lib64/libmozjs-17.0.so and suggest running revdep-pax 2) Add USE jit to polkit and change dep to: dev-lang/spidermonkey:17[-debug,jit=] 3) Print warning after dev-lang/spidermonkey rebuild.
(In reply to Nikoli from comment #4) > There are 3 solutions: > 1) pax mark /usr/lib64/libmozjs-17.0.so and suggest running revdep-pax This requires one to pull in sys-apps/elfix which is a bit much. > 2) Add USE jit to polkit and change dep to: > dev-lang/spidermonkey:17[-debug,jit=] This is the best solution. > 3) Print warning after dev-lang/spidermonkey rebuild. Unnecessary amount of user interaction here. Chances are it'll be missed. Let's go with 2.
Created attachment 372496 [details, diff] USE="jit" for polkit? How did you mean to use jit= ? # USE="jit" emerge -av 'dev-lang/spidermonkey:17' These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild R ] dev-lang/spidermonkey-17.0.0-r3:17 USE="jit* -debug -minimal -static-libs {-test}" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: dev-lang/spidermonkey:17 (dev-lang/spidermonkey-17.0.0-r3::gentoo, ebuild scheduled for merge) pulled in by (no parents that aren't satisfied by other packages in this slot) (dev-lang/spidermonkey-17.0.0-r3::gentoo, installed) pulled in by dev-lang/spidermonkey:17[-debug,jit=] required by (sys-auth/polkit-0.112-r2::gentoo, installed) !!! Enabling --newuse and --update might solve this conflict. !!! If not, it might help emerge to give a more specific suggestion.
Tried your patch, works fine: # USE='jit' emerge -vp =sys-auth/polkit-0.112-r1 These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] dev-lang/spidermonkey-17.0.0-r3:17 USE="jit* minimal {test} -debug -static-libs" 0 kB [ebuild R ] sys-auth/polkit-0.112-r1 USE="introspection jit%* kde nls pam -examples -gtk (-selinux) -systemd" 0 kB Total: 2 packages (2 reinstalls), Size of downloads: 0 kB You see this error, because you try to rebuild spidermonkey without rebuilding polkit, portage even suggests about it: "Enabling --newuse and --update might solve this conflict."
in portage then
Something went wrong, polkit-0.112-r2[-jit] fails src_test: make[4]: Entering directory `/var/package-manager/tmp/portage/sys-auth/polkit-0.112-r2/work/polkit-0.112/test/polkitbackend' ../../test-driver: line 95: 31822 Killed "$@" > $log_file 2>&1 FAIL: polkitbackendjsauthoritytest No messages in dmesg, in polkit-0.112-r1 all tests work fine. So is JIT really disabled in dev-lang/spidermonkey-17.0.0-r3[-jit]?
(In reply to Nikoli from comment #9) > Something went wrong, polkit-0.112-r2[-jit] fails src_test: > make[4]: Entering directory > `/var/package-manager/tmp/portage/sys-auth/polkit-0.112-r2/work/polkit-0.112/ > test/polkitbackend' > ../../test-driver: line 95: 31822 Killed "$@" > $log_file > 2>&1 > FAIL: polkitbackendjsauthoritytest > > No messages in dmesg, in polkit-0.112-r1 all tests work fine. > > So is JIT really disabled in dev-lang/spidermonkey-17.0.0-r3[-jit]? If JIT is not disabled with USE="-jit" in dev-lang/spidermonkey, shouldn't you file a bug for dev-lang/spidermonkey? Any pax-marking in polkit happens only in src_install() so at the time src_test() is executed, nothing has yet been done by polkit's ebuild, now or before
(In reply to Samuli Suominen from comment #10) > Any pax-marking in polkit happens only in src_install() so at the time > src_test() is executed, nothing has yet been done by polkit's ebuild, now or > before Sorry, I take that back, I should have verified before speaking, it's indeed done in src_compile()
The ebuild has... has_version 'dev-lang/spidermonkey:17[jit]' && m='m' I don't see how that could fail: 1. spidermonkey is a build time dependency in polkit, therefore it's emerged first 2. so, now spidermonkey is installed 3. polkit goes into src_compile() and has_version is checking if jit is enabled or not in spidermonkey, and does pax-marking based on it So, is unconditional pax-marking required afterall, and the whole bug was bogus to begin with? If so, I can drop -r2. I rely on hardened users/devs to report this to me. Keep me updated.
mozilla herd, please check if disabling USE jit really makes using /usr/lib64/libmozjs-17.0.so safe in hardened systems. Can you try reproducing this bug?
(In reply to Nikoli from comment #13) > mozilla herd, please check if disabling USE jit really makes using > /usr/lib64/libmozjs-17.0.so safe in hardened systems. Can you try > reproducing this bug? If -jit is used there is no need to pax mark anything in polkit. This was the same result when using spidermonkey-1.8.7. There is no testing needed.
We have a jit useflag on polkit that does nothing, please drop it from the ebuild and stop forcing rebuilds that are not required.
(In reply to Jory A. Pratt from comment #15) > We have a jit useflag on polkit that does nothing, please drop it from the > ebuild and stop forcing rebuilds that are not required. No, we don't, the jit= will ensure polkit will be re-emerged with USE="-jit" if dev-lang/spidermonkey is enabled with USE="-jit" There is no other way to do this w/ current Portage Note, also >=www-client/midori-0.5.7 uses this method for USE="jit"
(In reply to Jory A. Pratt from comment #14) > (In reply to Nikoli from comment #13) > > mozilla herd, please check if disabling USE jit really makes using > > /usr/lib64/libmozjs-17.0.so safe in hardened systems. Can you try > > reproducing this bug? > > If -jit is used there is no need to pax mark anything in polkit. This was > the same result when using spidermonkey-1.8.7. There is no testing needed. See Comment #9, for which this bug was reopened. Testing/verifying is very much required.
(In reply to Samuli Suominen from comment #17) > (In reply to Jory A. Pratt from comment #14) > > (In reply to Nikoli from comment #13) > > > mozilla herd, please check if disabling USE jit really makes using > > > /usr/lib64/libmozjs-17.0.so safe in hardened systems. Can you try > > > reproducing this bug? > > > > If -jit is used there is no need to pax mark anything in polkit. This was > > the same result when using spidermonkey-1.8.7. There is no testing needed. > > See Comment #9, for which this bug was reopened.Testing/verifying is very > much required. That is a completely unrelated issue. I am telling you there is no testing needed as I run haradened. I can tell you what happens with and without spidermonkey being built with JIT
> If -jit is used there is no need to pax mark anything in polkit. Jory, did you see comment #9? For me polkit-0.112-r2[-jit] fails polkitbackendjsauthoritytest, does it work fine for you? Please verify that all tests work fine for you in polkit _without_ any pax marking. Because for me they do not.
(In reply to Nikoli from comment #19) > > If -jit is used there is no need to pax mark anything in polkit. > > Jory, did you see comment #9? For me polkit-0.112-r2[-jit] fails > polkitbackendjsauthoritytest, does it work fine for you? Please verify that > all tests work fine for you in polkit _without_ any pax marking. Because for > me they do not. Complaining over test failures is useless. If you understand mozilla code you can see most of the tests are false positives. These same tests fail inside most mozilla products. They are not used for hardline results.
(In reply to Jory A. Pratt from comment #20) > (In reply to Nikoli from comment #19) > > > If -jit is used there is no need to pax mark anything in polkit. > > > > Jory, did you see comment #9? For me polkit-0.112-r2[-jit] fails > > polkitbackendjsauthoritytest, does it work fine for you? Please verify that > > all tests work fine for you in polkit _without_ any pax marking. Because for > > me they do not. > > Complaining over test failures is useless. If you understand mozilla code > you can see most of the tests are false positives. These same tests fail > inside most mozilla products. They are not used for hardline results. I take it that mozilla@ is not intrested in being involved in figuring out what makes the test fail, and if it's jit related or not. That's OK, we can take it from here...
(In reply to Nikoli from comment #9) > Something went wrong, polkit-0.112-r2[-jit] fails src_test: > make[4]: Entering directory > `/var/package-manager/tmp/portage/sys-auth/polkit-0.112-r2/work/polkit-0.112/ > test/polkitbackend' > ../../test-driver: line 95: 31822 Killed "$@" > $log_file > 2>&1 $log_file, I don't remember out of memory, but there is indeed a log created from the tests Perhaps you should provide more information of the failing test before jumping conclusions it's JIT related, this bug related, to begin with, before CCing maintainers like spidermonkey here
Jory, tests in polkit package never failed for me in all hardened desktops until pax marking was disabled for them. Results of these tests are not random, but reproducible. polkitbackendjsauthoritytest is not marked XFAIL, so it is expected to work fine. Samuli, > $log_file, I don't remember out of memory, but there is indeed a log created from the tests # file test/polkitbackend/polkitbackendjsauthoritytest.log test/polkitbackend/polkitbackendjsauthoritytest.log: empty # cat test/polkitbackend/test-suite.log ===================================================== polkit 0.112: test/polkitbackend/test-suite.log ===================================================== # TOTAL: 1 # PASS: 0 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: polkitbackendjsauthoritytest ================================== Do you need any other info?
(In reply to Nikoli from comment #23) > Jory, tests in polkit package never failed for me in all hardened desktops > until pax marking was disabled for them. Results of these tests are not > random, but reproducible. polkitbackendjsauthoritytest is not marked XFAIL, > so it is expected to work fine. > > Samuli, > > $log_file, I don't remember out of memory, but there is indeed a log created from the tests > > # file test/polkitbackend/polkitbackendjsauthoritytest.log > test/polkitbackend/polkitbackendjsauthoritytest.log: empty > > # cat test/polkitbackend/test-suite.log > ===================================================== > polkit 0.112: test/polkitbackend/test-suite.log > ===================================================== > > # TOTAL: 1 > # PASS: 0 > # SKIP: 0 > # XFAIL: 0 > # FAIL: 1 > # XPASS: 0 > # ERROR: 0 > > .. contents:: :depth: 2 > > FAIL: polkitbackendjsauthoritytest > ================================== > > > Do you need any other info? ERROR:test-polkitbackendjsauthority.c:49:get_authority: assertion failed: (rules_dirs[0] != NULL) Here is your actual issue. I will be more then happy to dig into it and see what we can do.
Created attachment 388660 [details, diff] patch for ebuild I found why tests fail in sys-auth/polkit-0.112-r2: when there should be no pax marking done, ebuild actually does wrong pax marking. cd /var/tmp/portage/sys-auth/polkit-0.112-r2/work/polkit-0.112/ && paxctl-ng -v src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest src/polkitbackend/.libs/polkitd: PT_PAX : -e--- XATTR_PAX : not found test/polkitbackend/.libs/polkitbackendjsauthoritytest: PT_PAX : -e--- XATTR_PAX : pe-rs build.log: make[1]: Leaving directory '/var/tmp/portage/sys-auth/polkit-0.112-r2/work/polkit-0.112' * test/polkitbackend/.libs/polkitbackendjsauthoritytest * XT PaX marking -srpesp test/polkitbackend/.libs/polkitbackendjsauthoritytest with paxctl-ng >>> Source compiled. This part of ebuild is wrong: src_compile() { default # Required for polkitd on hardened/PaX due to spidermonkey's JIT local f='src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest' local m='' # Only used when USE="jit" is enabled for 'dev-lang/spidermonkey:17' wrt #485910 has_version 'dev-lang/spidermonkey:17[jit]' && m='m' # hppa, ia64 and mips uses spidermonkey-1.8.5 which requires different pax-mark flags use hppa && m='mr' use ia64 && m='mr' use mips && m='mr' pax-mark ${m} ${f} } It should not run 'pax-mark ${m} ${f}' when $m is empty. Attached patch works fine for me.
(In reply to Nikoli from comment #25) > Created attachment 388660 [details, diff] [details, diff] > patch for ebuild > > It should not run 'pax-mark ${m} ${f}' when $m is empty. Attached patch > works fine for me. applied to tree
