I was trying to install kawa but when it got to invoking javac as part of the build, the PAX kernel patches (enabled in my build of gentoo-sources) killed javac. It would be an improvement if blackdown-jdk checked for the existence of /sbin/chpax, or installation of the gradm package, and ran chpax -p /opt/blackdown-jdk-1.3.1/bin/i386/*/* accordingly, as otherwise java won't work.
just because gradm is installed doesnt mean grsec is active in the kernel ... and i'd be against this ... i'd suggest adding an einfo to the end that says like 'if you are using grsecurity you may have to run chpax on the installed files'
OK; in that case a more refined test would be the sysctl kernel.grsecurity.execve_limiting = 1, I think.
that is, of course, if you enabled sysctl support (which is disabled by default) :)
if [ -x /sbin/chpax ] ; then file /opt/blackdown-jdk-*/bin/* | grep ELF | cut -d : -f 1 | while read elf ; do /sbin/chpax -rsmp $elf ; done fi You could add checks in java itself.. But I feel this would be kinda a hackfix, as other programs such as XFree86 would also need the same thing. The gentoo way to do this would be to use PAGE_EXEC_EXEMPT= in /etc/conf.d/grsecurity. and rc-update add grsecurity default Note: Starting with the gradm-1.9.9h-r1.ebuild chpax will longer be distributed as part of gradm. emerge chpax
java & pax chpax -rs alone does the trick. This bug should also be closed and any new ones that appear like this should be marked as invalid.
Its up to the user to handle security and other thing in their system.
Final note on this bug for archival reason. The PaX author says chpax -rsp is what java* needs for completeness not just -rs. Or (preferably) use the grsec ACL system.
