Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517008 - dev-lisp/sbcl should call pax-mark in src_install()
Summary: dev-lisp/sbcl should call pax-mark in src_install()
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Development (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Panagiotis Christopoulos (RETIRED)
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2014-07-12 22:48 UTC by Mira Ressel
Modified: 2015-03-07 13:16 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for sbcl-1.2.7 ebuild adding a pax_mark call in src_install (sbcl_1.2.7_src_install_pax_mark.patch,465 bytes, patch)
2015-03-06 13:35 UTC, Mira Ressel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mira Ressel 2014-07-12 22:48:28 UTC
sbcl's custom build system doesn't preserve xattrs during the install process. Therefore, xattr-based PaX markings get lost during installation.

Please call
pax-mark -mr "${D}"/usr/bin/sbcl
in src_install() to bypass this problem. This can be done unconditionally, as it doesn't to anything on non-hardened systems.
Comment 1 Mira Ressel 2015-03-02 21:00:16 UTC
Ping.

@hardened: Please have a look at this. It's a hardened-only issue and the package maintainers are unresponsive.
Comment 2 Anthony Basile gentoo-dev 2015-03-03 00:20:15 UTC
(In reply to Luis Ressel from comment #1)
> Ping.
> 
> @hardened: Please have a look at this. It's a hardened-only issue and the
> package maintainers are unresponsive.

This looks fine.  And if you say it works then it probably needs it.  I don't use lisp so I can't say immediately.

How are the maintainers unrepsonsive?  Where was this first reported.

@maintainers.  This looks safe on hardened and vanilla.  The worst that can happen is that you don't get the security hardenings you might on a hardened system.  On a vanilla system, it changes nothing.
Comment 3 Andrey Grozin gentoo-dev 2015-03-03 06:05:22 UTC
I don't run hardened, and therefore I can't check if this has the desired effect on hardened. If this does not break anything on vanilla, I can commit this change.
Comment 4 Mira Ressel 2015-03-03 23:32:28 UTC
(In reply to Andrey Grozin from comment #3)
> I don't run hardened, and therefore I can't check if this has the desired
> effect on hardened. If this does not break anything on vanilla, I can commit
> this change.

Thanks! Finally this is getting somewhere.

As Anthony confirmed, this change should definitly be safe for vanilla.

@Anthony: Those PaX flags are in fact neccessary. Currently, they are already applied in src_compile. Back in the PT_PAX days, this was sufficient, but as I mentioned in the initial bug description, it's not sufficient for XATTR_PAX anymore because sbcl's install.sh doesn't preserve xattrs, so the PaX markings have to be re-added afterwards.
Comment 5 Anthony Basile gentoo-dev 2015-03-06 01:35:30 UTC
(In reply to Andrey Grozin from comment #3)
> I don't run hardened, and therefore I can't check if this has the desired
> effect on hardened. If this does not break anything on vanilla, I can commit
> this change.

Hmmm.  The ebuild already has

     if host-is-pax ; then
        # To disable PaX on hardened systems
        pax-mark -mr "${bindir}"/src/runtime/sbcl

        # Hack to disable PaX on second GENESIS stage
        sed -i -e '/^echo \/\/doing warm init - compilation phase$/a\paxmark.sh -mr \.\/src\/runtime\/sbcl' \
            "${S}"/make-target-2.sh || die "Cannot disable PaX on second GENESIS runtime"
    fi

in src_compile().  Either that should be moved to src_install() and the par-mark like changed to `pax-mark -mr "${D}"/usr/bin/sbcl` or it should be repeated there.

I tried building on my system but i hit other issues, and (sorry) I just didn't have time to push them through.

@Luis.  Can you produce a patch against one of the ebuilds that shows what would fix this for and I'll review for the lisp team.  What I really need to know is if you need to repeate the pax markings in both src_compile() and src_install() (which is yucky but you might have to do it) or you can just move that if-fi to src_install() and that's sufficient.  Make sure you test with FEATURES=test because some wierdness can happen there too.

Thanks.
Comment 6 Mira Ressel 2015-03-06 13:29:40 UTC
> @Luis.  Can you produce a patch against one of the ebuilds that shows what
> would fix this for and I'll review for the lisp team.  What I really need to
> know is if you need to repeate the pax markings in both src_compile() and
> src_install() (which is yucky but you might have to do it) or you can just
> move that if-fi to src_install() and that's sufficient.

Unfortunately, we really need a pax-mark in all three locations: The initial pax-mark, then the one we're sed'ing into the Makefile, and the one I'm proposing to add to src_install. That's because sbcl is using a multi-stage bootstrap: The first stage is compiled using a pre-compiled binary (first pax-mark in src_compile), then a second stage is compiled using the first stage (so we sed the Makefile to pax-mark the first stage binary); and then, we need another pax-mark on the binary that's going to be installed. In theory, the sed already covers this, but as I already explained, sbcl's install.sh doesn't preserve xattrs, so we have to manually re-add the pax marking afterwards.

> Make sure you test
> with FEATURES=test because some wierdness can happen there too.

Sorry, I can't -- src_test hangs on my system regardless of whether my patch is applied or not.
Comment 7 Mira Ressel 2015-03-06 13:35:44 UTC
Created attachment 398236 [details, diff]
Patch for sbcl-1.2.7 ebuild adding a pax_mark call in src_install

Here's a patch.
Comment 8 Andrey Grozin gentoo-dev 2015-03-07 13:16:51 UTC
*sbcl-1.2.9 (07 Mar 2015)

  07 Mar 2015; Andrey Grozin <grozin@gentoo.org> +sbcl-1.2.9.ebuild,
  +files/bsd-sockets-test-1.2.9.patch:
  Version bump, commenting out one more test in bsd-sockets (#517004), adding
  pax-mark in src_install (#517008)