Created attachment 391420 [details] emerge --info output As the subject says, the firefox 31.3.0 build fails (actually quite early) with some python errors and a message about virtualenv. The previous ESR was fine.
Created attachment 391422 [details] build.log
Ah, it appears that this has to do with CONFIG_GRKERNSEC_TPE_ALL and FEATURES=userpriv. I recently enabled that again due to upcoming changes mentioned in bug 519566 making this easier to deal with in the near future. Those changes (specifically making ${T} non-group-writable) have not landed yet, but I don't think that it would make a difference here anyway. The compile phase here tries to execute some things out of world-writable /dev/shm, which is (rightly) disallowed as a security issue. (Since there often seems to be confusion on this point, I should emphasize that the problem is with TPE_ALL, not TPE, and these are different protections. It is possible and in fact necessary to exempt the portage user from TPE. However, the main purpose of TPE_ALL is to prevent trusted users from accidentally executing files placed in their $PATH by an attacker, and for that reason it is impossible to exempt anyone besides root from this protection.) Here are the actual grsec messages: [ 556.555840] grsec: denied untrusted exec (due to file in world-writable directory) of /dev/shm/ffiNyLs6e by /var/tmp/portage/www-client/firefox-31.3.0/work/mozilla-esr31/obj-x86_64-pc-linux-gnu/_virtualenv/bin/python2.7[python2.7:4377] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:4375] uid/euid:250/250 gid/egid:250/250 [ 556.556287] grsec: denied untrusted exec (due to file in group-writable directory) of /var/tmp/portage/www-client/firefox-31.3.0/homedir/ffiJTvf6p by /var/tmp/portage/www-client/firefox-31.3.0/work/mozilla-esr31/obj-x86_64-pc-linux-gnu/_virtualenv/bin/python2.7[python2.7:4377] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:4375] uid/euid:250/250 gid/egid:250/250 [ 556.557743] grsec: denied untrusted exec (due to file in world-writable directory) of /dev/shm/ffi5Ukc6A by /var/tmp/portage/www-client/firefox-31.3.0/work/mozilla-esr31/obj-x86_64-pc-linux-gnu/_virtualenv/bin/python2.7[python2.7:4377] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:4375] uid/euid:250/250 gid/egid:250/250 [ 556.560681] grsec: denied untrusted exec (due to file in world-writable directory) of /dev/shm/ffijmbt6L by /var/tmp/portage/www-client/firefox-31.3.0/work/mozilla-esr31/obj-x86_64-pc-linux-gnu/_virtualenv/bin/python2.7[python2.7:4377] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:4375] uid/euid:250/250 gid/egid:250/250
There are known issues with python libffi and Gentoo Hardened but I can't recall the details. I'm CCing them.
Version dropped from tree