Without paxmarking with "E" the seahorse binary gets killed by PaX: [397478.359002] PAX: execution attempt in: <anonymous mapping>, 30d69acc000-30d69acd000 30d69acc000 [397478.359040] PAX: terminating task: /usr/bin/seahorse(pool):19039, uid/euid: 1000/1000, PC: 0000030d69acc160, SP: 0000030d4bf04c38 [397478.359046] PAX: bytes at PC: 49 bb c6 33 4d 63 0d 03 00 00 49 ba 60 c1 ac 69 0d 03 00 00 [397478.359071] PAX: bytes at SP-8: 0000030d00000009 0000030d63b20169 0000000000000000 0000030d63d49180 0000030d63b1edc0 0000000000000000 0000030d67aa28b0 423bfe0e137f6200 0000030d4bf05700 0000030d44002ee0 00000032cb9f4370 This is caused by libffi. >=app-crypt/seahorse-3.10 depends on >=app-crypt/p11-kit-0.19 which in turn depends on libffi (but actually this dependency is missing in p11-kit ebuild). I can solve this problem in two ways: 1. paxctl -E on seahorse binary. 2. append --without-libffi to econf in p11-kit ebuild (maybe add a USE flag for this?). If you choose 1) then please add libffi dependency to all >=app-crypt/p11-kit-0.19 ebuilds. You can use this snippet from gnome-shell ebuild: if has_version '>=dev-libs/libffi-3.0.13[pax_kernel]'; then pax-mark E "${ED}usr/bin/seahorse" fi
Sorry, I cannot remember why I not filed a bug agains p11-kit myself. =/ (In reply to Alexander Tsoy from comment #0) > You can use this snippet from gnome-shell ebuild: > > if has_version '>=dev-libs/libffi-3.0.13[pax_kernel]'; then > pax-mark E "${ED}usr/bin/seahorse" > fi Now this should be: if has version '<app-crypt/p11-kit-0.20.3-r1' || has version 'app-crypt/p11-kit[libffi]'; then if has_version '>=dev-libs/libffi-3.0.13[pax_kernel]'; then pax-mark E "${ED}usr/bin/seahorse" fi fi but since users can change p11-kit's use flags at any moment, may be it's worth to always pax-mark seahorse binary.
Not sure what hardened team will prefer (pax marking always or not)
if libiff don't have pax_kernel the bins need to be mark with m instead of E.
Created attachment 387732 [details, diff] seahorse-3.12.2.ebuild.patch This patch works for me.
What is the status of this with 3.14? Looks like ebuild has no dependency on either libffi or p11-kit... is that wrong? :/
It's an indirect dependency (seahorse -> gcr -> p11-kit -> libffi), however since libffi still ends up linked to seahorse executable at runtime, we need to pax-mark it.
And probably the same issue affects everything that directly or indirectly links to gcr (gnome-keyring, evolution, empathy, epiphany, gnome-control-center, gnome-documents, gnome-photos, gnome-online-miners, eog if using the picasa plugin, totem if using the youtube plugin, etc. etc.)
I have this problem only with two apps: seahorse and geary.
(In reply to Alexander Tsoy from comment #8) If geary is affected, then at least evolution is probably affected too :/
(In reply to Alexandre Rostovtsev from comment #9) Indeed =/ [27394.770824] PAX: execution attempt in: <anonymous mapping>, 34419114000-34419119000 34419114000 [27394.779594] PAX: terminating task: /usr/libexec/evolution-user-prompter(evolution-user-):9383, uid/euid: 1000/1000, PC: 0000034419114160, SP: 000003d4cefde808 [27394.793789] PAX: bytes at PC: 49 bb 4e 6c b3 11 44 03 00 00 49 ba 60 41 11 19 44 03 00 00 [27394.802542] PAX: bytes at SP-8: 0000000000000009 0000034410e150d0 0000000000000000 0000034410e13c60 0000000000000000 00000344116ffec0 0000000000000000 073bb8a161d1be00 000003d4cefde870 0000003db442be70 000003d4cefde950 paxmarking /usr/libexec/evolution-user-prompter with 'E' fixes the problem.
Well.. another option is to add "app-crypt/p11-kit libffi" to the package.use.mask on hardened profiles. The question is how long p11-kit upstream will support building without libffi.
This is a problem because the "has_version" way of dealing with this will fail to rebuild and mark properly the packages as soon as user changes p11-kit USE for example :|