Amarok don't open with PaX mprotect, the following appears on dmesg: grsec: denied resource overstep by requesting 69632 for RLIMIT_MEMLOCK against limit 65536 for /usr/bin/amarok[amarok:3145] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/amarok[amarok:3144] uid/euid:1000/1000 gid/egid:1000/1000 grsec: Segmentation fault occurred at 00000000bbadbeef in /usr/bin/amarok[amarok:3145] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/amarok[amarok:3144] uid/euid:1000/1000 gid/egid:1000/1000 If I change MEMLOCK to a higher value (on limits.conf), I get only this on dmesg: grsec: Segmentation fault occurred at 00000000bbadbeef in /usr/bin/amarok[amarok:3147] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/amarok[amarok:3146] uid/euid:1000/1000 gid/egid:1000/1000 Amarok works perfectly with non-hardened kernel (withou PaX). Use paxctl -m on amarok binary solve the problema here. P.S. Amarok don't built with hardened-sources too, see: https://bugs.gentoo.org/show_bug.cgi?id=342911 Reproducible: Always Steps to Reproduce: 1. Use a kernel with PaX enable (like hardened-sources) 2. Open AmaroK Actual Results: Segmentation fault Portage 2.2.0_alpha4 (hardened/linux/amd64/10.0, gcc-4.5.1-asneeded, glibc-2.12.1-r3, 2.6.36-hardened x86_64) ================================================================= System uname: Linux-2.6.36-hardened-x86_64-Intel-R-_Pentium-R-_Dual_CPU_T3400_@_2.16GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 14 Nov 2010 05:45:02 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r2 dev-lang/python: 2.7, 3.1.2-r4 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.6.3 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.5.1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.4 sys-devel/make: 3.82 virtual/os-headers: 2.6.35 (sys-kernel/linux-headers) Repositories: gentoo mozilla ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -ftree-vectorize -floop-strip-mine -floop-interchange -floop-block -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -ftree-vectorize -floop-strip-mine -floop-interchange -floop-block -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.c3sl.ufpr.br" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="en en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/yportage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/mozilla" SYNC="rsync://rsync.samerica.gentoo.org/gentoo-portage" USE="X aac acl acpi alsa amd64 amr apng berkdb bzip2 cairo cdr cli cracklib crypt custom-cflags custom-cpuopts custom-optimization cxx dbus djvu dri dvd encode exif faac faad ffmpeg flac fontconfig gdbm gif gnutls gstreamer hardened iconv icu jpeg justify kde lame lcms libffi lzma mad mmx mng modules mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp optimized-qmake pam pcre pic png pppd python qt3support qt4 readline session smp sqlite sse sse2 sse3 ssl ssse3 svg symlink sysfs system-sqlite taglib tcpd theora threads tiff truetype udev unicode urandom v4l v4l2 vaapi vorbis vpx x264 xcb xml xorg xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel i915 i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
What amarok version?
(In reply to comment #1) > What amarok version? > media-sound/amarok-2.3.2-r1
https://bugs.gentoo.org/show_bug.cgi?id=338245 Adding configure flag "-no-javascript-jit" to qt-core, qt-script, qt-webkit got rid of my QT JIT issues.
Qt/hardened: Any ideas?
Did building with -jit got rid of the problem? It was the idea for that change
It worked for me
Using -jit com qt packages solved the problem here(1). I recommend put jit on package.use.mask on hardened profiles, at least for qt packages. This change solve another reported bug about build amarok with hardened-sources[2]. [1] https://bugs.gentoo.org/show_bug.cgi?id=338243 [2] https://bugs.gentoo.org/show_bug.cgi?id=342911 Cheers.
Bruno, thanks for the bug report. Dillon, thanks for the research and patch. @hardened, I'll leave this bug and bug 342911 open until you mask the use flag in the profiles.
Looks like it happened but nobody commented here $ grep -r jit /usr/portage/profiles/ /usr/portage/profiles/hardened/linux/make.defaults:STAGE1_USE="hardened nptl nptlonly pic -jit"
/usr/portage/profiles/hardened/linux/make.defaults:USE="-fortran -ipv6 hardened pic sysfs urandom -jit" I'm closing this bug then. Feel free to reopen if the issue persists.
