following warnings produced on hardened system with sys-libs/glibc-2.17 & sys-devel/gcc-4.7.3-r1 * QA Notice: The following files contain writable and executable sections * Files with such sections will not work properly (or at all!) on some * architectures/operating systems. A bug should be filed at * http://bugs.gentoo.org/ to make sure the issue is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * Note: Bugs should be filed for the respective maintainers * of the package in question and not hardened@g.o. * RWX --- --- usr/bin/ceph-mds * RWX --- --- usr/bin/ceph-mon * RWX --- --- usr/bin/ceph-osd * RWX --- --- usr/bin/ceph-syn * RWX --- --- usr/bin/ceph-authtool * RWX --- --- usr/bin/crushtool * RWX --- --- usr/bin/ceph_filestore_dump * RWX --- --- usr/bin/ceph_filestore_tool * RWX --- --- usr/bin/ceph_mon_store_converter * RWX --- --- usr/bin/ceph-conf * RWX --- --- usr/bin/ceph-dencoder * RWX --- --- usr/bin/osdmaptool * RWX --- --- usr/bin/monmaptool * RWX --- --- usr/lib64/libcephfs.so.1.0.0 * RWX --- --- usr/lib64/librados.so.2.0.0 hardned kernel kills all binaries linked to librados.so with 6 12:28:05 box1 kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/ceph-conf[ceph-conf:2171] uid/euid:0/0 gid/egid:0/0, parent /usr/lib64/ceph/ceph_init.sh[ceph_init.sh:2170] uid/euid:0/0 gi unless mprotect is disabled on the binary Reproducible: Always Steps to Reproduce: 1. setup hardened gentoo with grsec (MPROTECT) enabled 2. compile sys-cluster/ceph-0.72.2 3. run /usr/bin/crushtool 4. Actual Results: grsec kills the process Expected Results: run flawless
indeed this bug is blocker for ceph on hardened systems
i did upgrade of another gentoo box and noticed that emerge -u1DN world (with implies gcc/glibc upgrade) does not break ceph while emerge -e afterward leads to the problem
+*ceph-0.77 (20 Feb 2014) +*ceph-0.72.2-r3 (20 Feb 2014) +*ceph-0.67.7 (20 Feb 2014) + + 20 Feb 2014; Yixun Lan <dlan@gentoo.org> -ceph-0.67.5-r2.ebuild, + +ceph-0.67.7.ebuild, -ceph-0.72.2-r2.ebuild, +ceph-0.72.2-r3.ebuild, + -ceph-0.75.ebuild, +ceph-0.77.ebuild, +files/ceph-fix-gnustack.patch: + bump 0.67.7, 0.77, drop old; fix bug #500514, #500974