Created attachment 323160 [details, diff] Patch to make nvidia-drivers-173* work with hardened-sources As requested in bug 385837, I open a new bug: With the attached patch, the nvidia-drivers 173 series compiles (and runs) with hardened-sources (many versions of both packages were tested already). It should be possible to use the patch unconditionally (although this is not well-tested).
The current stable version all work with hardened-sources, is this really needed?
(In reply to comment #1) > The current stable version all work with hardened-sources Sorry for my late reply: I was rather busy and wanted to verify before I answer. I tested with sys-kernel/hardened-sources-3.6.7 and x11-drivers/nvidia-drivers-3.6.7: It compiles without patches, but when you start X with pax security features enabled in the kernel (I did not test which ones are the responsible ones), X does not start: htop shows a dead process without a name, and dmesg contains: PAX: kernel memory leak attempt detected from [...] (nv_stack_t) (15 bytes) ...
(In reply to comment #2) >> x11-drivers/nvidia-drivers-3.6.7: I meant x11-drivers/nvidia-drivers-173.14.36
Maybe close this bug? For 3** series of drivers have the needed patches.
Current drivers compile and function, X use flag is masked for a reason. People seem to be discussing the unmasking of the X flag over at bug #433121 but I wouldn't hold my breath on that being "officially support" (but that bug might help you get it working.
(In reply to comment #5) > Current drivers compile and function This bug is not about "current drivers" but about the 173-* series which is needed if you do not have a brand new nvidia card. And that driver compiles but does not work with pax enabled unless you use a patch like the attached one.
Comment on attachment 323160 [details, diff] Patch to make nvidia-drivers-173* work with hardened-sources /home/jer/portage/x11-drivers/nvidia-drivers-173.14.36/work/usr/src/nv/nv.c: In function ‘nvidia_init_module’: /home/jer/portage/x11-drivers/nvidia-drivers-173.14.36/work/usr/src/nv/nv.c:1384:5: error: ‘SLAB_USERCOPY’ undeclared (first use in this function) /home/jer/portage/x11-drivers/nvidia-drivers-173.14.36/work/usr/src/nv/nv.c:1384:5: note: each undeclared identifier is reported only once for each function it appears in make[3]: *** [/home/jer/portage/x11-drivers/nvidia-drivers-173.14.36/work/usr/src/nv/nv.o] Error 1 make[3]: *** Waiting for unfinished jobs.... make[2]: *** [_module_/home/jer/portage/x11-drivers/nvidia-drivers-173.14.36/work/usr/src/nv] Error 2 NVIDIA: left KBUILD. nvidia.ko failed to build! make[1]: *** [module] Error 1 make: *** [module] Error 2 emake failed This apparently won't compile against non-hardened sources. We could muck about with USE flags and kernel checks and such, or do one better and have the patch perform the magic.
> This apparently won't compile against non-hardened sources. We could muck > about with USE flags and kernel checks and such, or do one better and have > the patch perform the magic. Jer, Do to very similar issues the 3xx patch is conditionally applied based on the pax_kernel use flag. If you want to write a patch that doesn't require conditional application that's fine with me, but I see very little reason for that amount of effort. Xarthisius, If we have a patch that helps users and doesn't hurt anyone else (because we are conditionally applying the patch or the code only activates on hardened) would you consider adding it even though we "technically don't support running X on binary drivers in hardened". Personally I see no downside to accepting this patch, however, the drivers are yours to command...
Second half of comment 8 to Cardoe as well ^^
I think this can be close
(In reply to Magnus Granberg from comment #10) > I think this can be close
