After emerging bash all the ebuilds fail either complaining about being unable to dlopen libc or being unable to do xmalloc in bash Reproducible: Always Steps to Reproduce: 1. Emerge gcc 4.4.3-r1 from the hardened overlay 2. Try to emerge anything which requires compilation 3. The emerge fails Relevant lines when using the sandbox: unning configure fragment for sysdeps/i386 checking if -g produces usable source locations for assembler-with-cpp... yes checking for old glibc 2.0.x headers... no checking whether -fPIC is default... no configure: creating ./config.status config.status: creating config.make config.status: creating Makefile config.status: creating config.h config.status: executing default commands * Building GLIBC with NPTL... make -r PARALLELMFLAGS="-j2" CVSOPTS="" -C /var/tmp/portage/sys-libs/glibc-2.10.1-r1/work/glibc-2.10.1 objdir=`pwd` all libsandbox: Can't dlopen libc: out of memory make: *** [all] Error 1 * ERROR: sys-libs/glibc-2.10.1-r1 failed: * make for default failed * * Call stack: * ebuild.sh, line 54: Called src_compile * environment, line 3744: Called eblit-run 'src_compile' * environment, line 1204: Called eblit-glibc-src_compile * src_compile.eblit, line 207: Called toolchain-glibc_src_compile * src_compile.eblit, line 123: Called die * The specific snippet of code: * make PARALLELMFLAGS="${MAKEOPTS}" || die "make for ${ABI} failed" * * If you need support, post the output of 'emerge --info =sys-libs/glibc-2.10.1-r1', * the complete build log and the output of 'emerge -pqv =sys-libs/glibc-2.10.1-r1'. * The complete build log is located at '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/temp/environment'. * S: '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/work/glibc-2.10.1' And when not using it: config.status: creating config.make config.status: creating Makefile config.status: creating config.h config.status: executing default commands * Building GLIBC with NPTL... make -r PARALLELMFLAGS="-j2" CVSOPTS="" -C /var/tmp/portage/sys-libs/glibc-2.10.1-r1/work/glibc-2.10.1 objdir=`pwd` all bash: xmalloc: locale.c:73: cannot allocate 2 bytes (0 bytes allocated) make: *** [all] Error 2 * ERROR: sys-libs/glibc-2.10.1-r1 failed: * make for default failed * * Call stack: * ebuild.sh, line 54: Called src_compile * environment, line 3741: Called eblit-run 'src_compile' * environment, line 1201: Called eblit-glibc-src_compile * src_compile.eblit, line 207: Called toolchain-glibc_src_compile * src_compile.eblit, line 123: Called die * The specific snippet of code: * make PARALLELMFLAGS="${MAKEOPTS}" || die "make for ${ABI} failed" * * If you need support, post the output of 'emerge --info =sys-libs/glibc-2.10.1-r1', * the complete build log and the output of 'emerge -pqv =sys-libs/glibc-2.10.1-r1'. * The complete build log is located at '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/temp/environment'. * S: '/var/tmp/portage/sys-libs/glibc-2.10.1-r1/work/glibc-2.10.1' The bugs seems to be not only related to glibc building but also to bash libsandbox and probably others.
Well after some findings it seems this wont happen if mem-scranble is disabled. Any idea on why?
emerge --info Portage 2.1.7.16 (hardened/linux/x86/10.0, gcc-4.4.3, glibc-2.10.1-r1, 2.6.31-gentoo-r6 i686) ================================================================= System uname: Linux-2.6.31-gentoo-r6-i686-AMD_Phenom-tm-_9550_Quad-Core_Processor-with-gentoo-1.12.13 Timestamp of tree: Fri, 12 Feb 2010 06:45:01 +0000 app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.4.3-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA dlj-1.1" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe -fomit-frame-pointer -march=athlon64" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CPPFLAGS="" CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=athlon64" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/" LDFLAGS="-Wl,-O1" LINGUAS="es es_ES" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/hardened-development" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="acl audit bash-completion bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv mmap mmx modules mudflap ncurses nls nptl nptlonly pam pcre pic pppd readline reflection session spl sse sse2 ssl sysfs tcpd unicode urandom x86 xattr xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es es_ES" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa" Unset: CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
happens also on a fresh (stage 3) AMD64 install (with gcc 4.3) both tested under a kvm machine. QEMU_ALSA_DAC_DEV=default QEMU_AUDIO_DRV=alsa kvm -drive file=/datos1/install-amd64-minimal-20100126.iso,if=ide,media=cdrom,index=0,boot=on -drive file=/datos1/gentoovirt.img,if=virtio,media=disk,index=0 -drive file=/datos1/gentoovirt64.img,if=virtio,media=disk,index=1 -m 512 -smp 2 -soundhw pcspk -net nic,model=virtio -net user,hostfwd=tcp::9022-:22 -vga std -usb -usbdevice tablet -no-quit -cpu phenom
Just a work around when someone got this bug. Taking an old bash to somewhere on the box (e.g /tmp/bash) then relink the /bin/sh to this alternative bash and remerge bash without mem-scramble. Probably, the alternative bash should be the same arch.
Seems that meem-scramble won't get along well with hardened systems with not much RAM. Oddly enough when using this on a system with 4GB of RAM and with gcc-4.4 seems to have fixed.
same problem with ~7.5 free RAM
I found that this does not seem to happen in kernel ≤4.0.8 (hardened-sources). But I could reproduce it even on armv7!! (armv7a-hardfloat-linux-gnueabi, CFLAGS="-Ofast -pipe -mcpu=cortex-a7 -mfpu=neon-vfpv4 -mfloat-abi=hard" [No matter how I set the -O switch].)
(In reply to Francisco Blas Izquierdo Riera from comment #5) > Seems that meem-scramble won't get along well with hardened systems with not > much RAM. My ARM system has a sunxi kernel, which (I’m pretty sure) doesn’t contain any hardening. It also has only 1GB of RAM though, and uses a tmpfs in RAM for all non-huge packages too. But I know for a fact that it fails even on very small packages.
Low levels of RAM are not required, as far as I can tell. Kernel >4.0.8 and USE="mem-scramble" appear to suffice.
