Couldn't build x11-libs/gtk+-2.24.25[abi-x86_32] in hardened/multilib profile becouse of PAX error: [29514.997150] grsec: denied RWX mmap of /usr/lib32/opengl/xorg-x11/lib/libGL.so.1.2.0 by /var/tmp/portage/x11-libs/gtk+-2.24.25/work/gtk+-2.24.25-abi_x86_32.x86/gtk/.libs/gtk-query-immodules-2.0[gtk-query-immod:16420] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:16419] uid/euid:0/0 gid/egid:0/0 Reproducible: Always
Created attachment 387924 [details] build.log.tar.xz
Comment on attachment 387924 [details] build.log.tar.xz Why did you store a single file in a tar archive?
> Why did you store a single file in a tar archive? I couldn't upload uncompressed file because of its size.
In the past, this bugs were being marked as duplicates of bug 240956 :/
Created attachment 390518 [details, diff] gtk+-3.12.2-r1.ebuild patch to apply gtk+-3.12.2-pax.patch
Created attachment 390520 [details, diff] patch to paxmark.sh m gtk/.libs/gtk-query-immodules-3.0
I reproduced a similar program with the nvidia OpenGL driver. It would be neat if you could please try the attached patch and let us know if it fixes the build problem for you or not.
Couldn't the pax marking be done directly in ebuild instead of needing to patch Makefiles (the issue with patching them is that this patches will likely be carried forever by us downstream and would need to be adapted in future version bumps. The patch is not hard but... :))
(In reply to Mark Wright from comment #6) > Created attachment 390520 [details, diff] [details, diff] Hunk for install-data-hook is not necessary since DESTDIR is always not empty. (In reply to Pacho Ramos from comment #8) No-no-no! :) This would be too ugly: src_compile() { emake -C gdk emake -C gtk/ gtk-query-immodules-${SLOT}.0 pax-mark -m gtk/.libs/gtk-query-immodules-${SLOT}.0 gnome2_src_compile }
And can't we just unset DISPLAY env variable? I don't have nvidia hardware, so I can't test this.
Personally I don't understand why DISPLAY is not unset always by PM :| But we can of course unset it in ebuild... how does it behave when DISPLAY is unset? (I neither have a nvidia setup just now to test, my laptop is intel based :/)
Also would be nice to test gtk+[-X,wayland], because DISPLAY env variable is likely affects only X11 backend. :(
(In reply to Alexander Tsoy from comment #12) Ah, sorry. Looks like nvidia blob with wayland support is not yet released.
+*gtk+-3.12.2-r2 (02 Jan 2015) + + 02 Jan 2015; Pacho Ramos <pacho@gentoo.org> + +files/gtk+-3.12.2-builtin-icon.patch, +gtk+-3.12.2-r2.ebuild, + gtk+-3.14.6.ebuild: + Include image data in the builtin icon cache (#518352 by Leho Kraav, Rafał + Mużyło and more), newer gdbus-codegen needed (#500216 by Vladimir Dolzhenko), + unset DISPLAY to make tests work in more environments (#527682 by Gangræna + Gorgeous, Mark Wright and Alexander Tsoy). + Please try with this revision
Created attachment 397168 [details, diff] files/gtk+-2.24.25-pax.patch
I'm experiencing this annoying bug as well, probably due to the nVidia proprietary blob using RWX memory. Since I need gtk-2 in order to use Steam, I wrote a very similar patch for gtk-2.25.25, which I will attach to this post. The patches have been tested on my own system running gentoo hardened w/ PaX and the nvidia proprietary blob driver, and they seem to fix the issue for me.
Created attachment 397170 [details, diff] gtk+-2.24.25.ebuild.patch
For Mesa, I think we need to disable the assembly for hardened. I'll start a thread with the hardened team.
Is there anything I can do to help here? I'm hitting this failure on a stable box.
(In reply to Matt Turner from comment #18) > For Mesa, I think we need to disable the assembly for hardened. I'll start a > thread with the hardened team. We allready disable most of the asm in Mesa for x86. The prob with Mesa/proprietary blob is that some of the drivers use RWX memory and that don't work well with PaX and mprotect and the code is in most time in the gl lib.
Is this still a problem?