* QA Notice: The following files contain writable and executable sections * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at * http://bugs.gentoo.org/ to make sure the issue is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@g.o. * RWX --- --- usr/bin/proot @hardened, your thoughts?
The problem is coming from execve/elf.c which yield an elf object with section [ 9] .note.GNU-stack PROGBITS 0000000000000000 00000bed 0000000000000000 0000000000000000 X 0 0 1 Its not an assembly file so I'm not sure what in the build system is causing this. I'll have to debug it later. Does proot work without the RWX GNU_stack? You can test by using fix-gnustack from the sys-apps/elfix package compiled with USE=ptpax.
Okay, here's the problem, elf.c generates trampolines. elf.c: In function ‘read_ldso_rpaths’: elf.c:334:6: warning: trampoline generated for nested function ‘get_strtab_address’ [-Wtrampolines] elf.c:357:6: warning: trampoline generated for nested function ‘add_rpaths’ [-Wtrampolines] elf.c:364:6: warning: trampoline generated for nested function ‘add_runpaths’ [-Wtrampolines] So we'll leave it alone for vanilla, but for USE=pax_kernel we'll remove the X on GNU_stack and pax_mark -E to enable trampolines emulation.
(In reply to Anthony Basile from comment #2) > Okay, here's the problem, elf.c generates trampolines. > > elf.c: In function ‘read_ldso_rpaths’: > elf.c:334:6: warning: trampoline generated for nested function > ‘get_strtab_address’ [-Wtrampolines] > elf.c:357:6: warning: trampoline generated for nested function ‘add_rpaths’ > [-Wtrampolines] > elf.c:364:6: warning: trampoline generated for nested function > ‘add_runpaths’ [-Wtrampolines] > > So we'll leave it alone for vanilla, but for USE=pax_kernel we'll remove the > X on GNU_stack and pax_mark -E to enable trampolines emulation. Actually no, we can't remove X on GNU_STACK for a pax_kernel because if we do and the user reboots into a vanilla kernel, it will be broken. The best we can do is just pax-mark -E. Something like this: --- proot-3.2.1.ebuild 2013-12-06 02:09:12.000000000 -0500 +++ proot-3.2.1-r1.ebuild 2013-12-08 16:10:21.522809406 -0500 @@ -5,7 +5,7 @@ EAPI=5 MY_PN="PRoot" -inherit eutils toolchain-funcs +inherit eutils pax-utils toolchain-funcs DESCRIPTION="User-space implementation of chroot, mount --bind, and binfmt_misc" HOMEPAGE="http://proot.me" @@ -38,6 +38,7 @@ } src_install() { + pax-mark -E src/proot dobin src/proot doman doc/proot.1 dodoc doc/*.txt doc/articles/*
Thanks for the tip about pax-mark! proot upstream confirmed presence of RWX sections and said that there was a patch for source code for removing them(details in URL). So, i probably roll-out new revision with pax-mark applied, until upstream release new version with fix.
+*proot-3.2.1-r1 (23 Dec 2013) + + 23 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> +proot-3.2.1-r1.ebuild: + Revision bump: add support for hardened systems, wrt bug #493416 I have disable some other flags to make proot work correctly on hardened system.
Oops, wrong resolution - proot still has RWX sections, it's up to upstream to remove them. Sorry for bugspam.
*** Bug 502382 has been marked as a duplicate of this bug. ***
Hello, This is fixed in the latest release (v4.0.0), quote: PRoot does not rely on GCC C extensions anymore, like nested functions. That means its stack does not have to be executable (this is required for hardened Linux systems), and it can now be compiled with Clang. -- https://github.com/cedric-vincent/PRoot/blob/v4.0.0/doc/proot/changelog.txt#L82 Regards, Cédric.