sbcl's custom build system doesn't preserve xattrs during the install process. Therefore, xattr-based PaX markings get lost during installation. Please call pax-mark -mr "${D}"/usr/bin/sbcl in src_install() to bypass this problem. This can be done unconditionally, as it doesn't to anything on non-hardened systems.
Ping. @hardened: Please have a look at this. It's a hardened-only issue and the package maintainers are unresponsive.
(In reply to Luis Ressel from comment #1) > Ping. > > @hardened: Please have a look at this. It's a hardened-only issue and the > package maintainers are unresponsive. This looks fine. And if you say it works then it probably needs it. I don't use lisp so I can't say immediately. How are the maintainers unrepsonsive? Where was this first reported. @maintainers. This looks safe on hardened and vanilla. The worst that can happen is that you don't get the security hardenings you might on a hardened system. On a vanilla system, it changes nothing.
I don't run hardened, and therefore I can't check if this has the desired effect on hardened. If this does not break anything on vanilla, I can commit this change.
(In reply to Andrey Grozin from comment #3) > I don't run hardened, and therefore I can't check if this has the desired > effect on hardened. If this does not break anything on vanilla, I can commit > this change. Thanks! Finally this is getting somewhere. As Anthony confirmed, this change should definitly be safe for vanilla. @Anthony: Those PaX flags are in fact neccessary. Currently, they are already applied in src_compile. Back in the PT_PAX days, this was sufficient, but as I mentioned in the initial bug description, it's not sufficient for XATTR_PAX anymore because sbcl's install.sh doesn't preserve xattrs, so the PaX markings have to be re-added afterwards.
(In reply to Andrey Grozin from comment #3) > I don't run hardened, and therefore I can't check if this has the desired > effect on hardened. If this does not break anything on vanilla, I can commit > this change. Hmmm. The ebuild already has if host-is-pax ; then # To disable PaX on hardened systems pax-mark -mr "${bindir}"/src/runtime/sbcl # Hack to disable PaX on second GENESIS stage sed -i -e '/^echo \/\/doing warm init - compilation phase$/a\paxmark.sh -mr \.\/src\/runtime\/sbcl' \ "${S}"/make-target-2.sh || die "Cannot disable PaX on second GENESIS runtime" fi in src_compile(). Either that should be moved to src_install() and the par-mark like changed to `pax-mark -mr "${D}"/usr/bin/sbcl` or it should be repeated there. I tried building on my system but i hit other issues, and (sorry) I just didn't have time to push them through. @Luis. Can you produce a patch against one of the ebuilds that shows what would fix this for and I'll review for the lisp team. What I really need to know is if you need to repeate the pax markings in both src_compile() and src_install() (which is yucky but you might have to do it) or you can just move that if-fi to src_install() and that's sufficient. Make sure you test with FEATURES=test because some wierdness can happen there too. Thanks.
> @Luis. Can you produce a patch against one of the ebuilds that shows what > would fix this for and I'll review for the lisp team. What I really need to > know is if you need to repeate the pax markings in both src_compile() and > src_install() (which is yucky but you might have to do it) or you can just > move that if-fi to src_install() and that's sufficient. Unfortunately, we really need a pax-mark in all three locations: The initial pax-mark, then the one we're sed'ing into the Makefile, and the one I'm proposing to add to src_install. That's because sbcl is using a multi-stage bootstrap: The first stage is compiled using a pre-compiled binary (first pax-mark in src_compile), then a second stage is compiled using the first stage (so we sed the Makefile to pax-mark the first stage binary); and then, we need another pax-mark on the binary that's going to be installed. In theory, the sed already covers this, but as I already explained, sbcl's install.sh doesn't preserve xattrs, so we have to manually re-add the pax marking afterwards. > Make sure you test > with FEATURES=test because some wierdness can happen there too. Sorry, I can't -- src_test hangs on my system regardless of whether my patch is applied or not.
Created attachment 398236 [details, diff] Patch for sbcl-1.2.7 ebuild adding a pax_mark call in src_install Here's a patch.
*sbcl-1.2.9 (07 Mar 2015) 07 Mar 2015; Andrey Grozin <grozin@gentoo.org> +sbcl-1.2.9.ebuild, +files/bsd-sockets-test-1.2.9.patch: Version bump, commenting out one more test in bsd-sockets (#517004), adding pax-mark in src_install (#517008)