Once upon a time skype made it impossible to paxmark skype's executable by doing integrity checks on startup. Without pax marking skype got killed by mprotect and skype was masked on hardened. At about June 2012 CONFIG_PAX_XATTR_PAX_FLAGS was introduced in pax kernels. That option would allow skype to be paxmarked using filesystem xattrs without modifying the executable. Since then paxmarking skype is possible and version 4.1.0.20 (and earlier) works fine with gentoo hardened. Unmask skype on hardened? Reproducible: Always Steps to Reproduce: 1. build hardened kernel with CONFIG_PAX_XATTR_PAX_FLAGS 2. successfully paxmark skype executable 3. successfully run skype
Work is ongoing to finally get Xattr base markings and blueness is working on a eclass that can be used afterwards. Until then the mask should stay.
Skype works fine with PT_PAX markings so I don't understand why this depends on bug 427888
Because that's not the case for the older versions which are also on the tree.
I believe this bug can be closed as it's for an older version. Additionally, Skype versions before 4.3 can no longer connect. (I received the email about this in Dutch, please let me know if you want a copy)
But skype-4.3.0.37 ebuild is still masked on hardened. It works fine though, if you put PAX_MARKINGS="XT". As older skype version can not connect, this is the only way I found to make skype work with hardened kernel.
