due to text relocations in certain vbox libraries, all of the following executables need to relax MPROTECT: already done in the ebuild: - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxHeadless] - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxSDL] - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VirtualBox] need to be added: - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxManage] - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxSVC] - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxTestOGL] - PaX flags: -----m-x-e-- [/usr/lib/virtualbox-ose/VBoxXPCOMIPCD] Reproducible: Always
Hardened team, feel free to add any changes which are necessary to the ebuilds.
(In reply to comment #1) > Hardened team, feel free to add any changes which are necessary to the ebuilds. > virtualbox-ose needs more than just the pax markings to work on hardened. It also needs to be compiled no-pie. This is usually done by setting CFLAGS="${CFLAGS} -fno-pie" but I don't understand the kmk build system and setting the environment variable doesn't work. I haven't figured out how to do it without seriously hacking it up --- probably in bad ways. Any hints? (Althernative a hardened user can switch to x86_64-pc-linux-gnu-4.4.4-hardenednopie and compile with that.)
Done as of virtualbox-ose-3.2.12-r2.ebuild I'm closing this for now. If there are still issues, please reopen.
