After switching to Gentoo Hardened, I can no longer install gnustep-base: the configuration stage fails when checking for libffi because of a violation of MPROTECT policy in ${WORKDIR}/${P}/conftest. Reproducible: Always Steps to Reproduce: 1. Boot a hardened-4.2.5-r1 kernel with MPROTECT enabled 2. Try to `emerge -1 gnustep-base` with USE="icu libffi ssl -debug -doc -zeroconf" Actual Results: Emerge bails out with an 'econf failed'. config.log says "configure: error: The ffi library (libffi) does not appear to be working." The actual error record is "./configure: line 24382: 4245 Killed ./conftest$ac_exeext" system logs say : "PAX: execution attempt in: <anonymous mapping> ... PAX: terminating task: /var/tmp/portage/gnustep-base/gnustep-base-1.24.8/work/gnustep-base-1.24.8/conftest(conftest):4245" Expected Results: Successful configuration, compilation and installation I should probably mention that I'm using a custom hardened/desktop profile, but I didn't manage to find any related USE masks/etc. that could fail to be applied. My profile is basically a child of: ../../../../portage/profiles/default/linux/amd64/13.0/desktop/plasma/systemd ../../../../portage/profiles/hardened/linux/amd64
Created attachment 416270 [details] My emerge --info
Created attachment 416272 [details] config.log
Created attachment 416274 [details] build.log
Thanks for the report! I know that all the libffi parts are very sensitive on PaX kernels, but nowadays it should work OK. Can you double-check all depending packages have been built correctly with USE=pax_kernel (especially libffi itself)?
(In reply to Bernard Cafarelli from comment #4) > Thanks for the report! > > I know that all the libffi parts are very sensitive on PaX kernels, but > nowadays it should work OK. > Can you double-check all depending packages have been built correctly with > USE=pax_kernel (especially libffi itself)? Yes, I recompiled @world right after switching to hardened, gnustep-base is the only package that failed to build; libffi installs perfectly fine. A dirty solution I used to make it merge is simply disabling MPROTECT on conftest in the configure script: once installed, the library seems to work just fine (I need it for app-arch/unar, which I'm not experiencing any issues with).
Oops, my bad. After I recompiled libffi again, everything installs just OK. NOTABUG.
Same problem here, tried both version 1.24.6-r1 and version 1.24.8-r1 of gnustep-base. Recompiling libffi (3.0.13-r1 or 3.2.1) does not fix the problem, USE=pax_kernel is enabled.