grep julia /var/log/grsec.log | sort -u Jan 17 12:25:32 tor-relay kernel: [747452.749659] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.749718] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.755809] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.766068] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.766112] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.766146] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 Jan 17 12:25:32 tor-relay kernel: [747452.766177] grsec: From 78.54.138.198: denied RWX mmap of <anonymous mapping> by /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/var/tmp/portage/dev-lang/julia-0.4.3/work/julia-0.4.3/deps/pcre2-10.20/.libs/pcre2_jit_test[pcre2_jit_test:5772] uid/euid:250/250 gid/egid:250/250, parent /home/tinderbox/images/amd64-plasma-unstable_20160110-213121/bin/bash[sh:5771] uid/euid:250/250 gid/egid:250/250 $ cat ./info.txt ----------------------------------------------------------------- This is an unstable amd64 chroot image (named amd64-plasma-unstable_20160110-213121) at a hardened host acting as a tinderbox. ----------------------------------------------------------------- Portage 2.2.26 (python 3.4.3-final-0, default/linux/amd64/13.0/desktop/plasma, gcc-5.3.0, glibc-2.22-r1, 4.3.3-hardened-r4 x86_64) ================================================================= System uname: Linux-4.3.3-hardened-r4-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 16164680 total, 4361492 free KiB Swap: 16777212 total, 16728208 free Timestamp of repository gentoo: Sat, 16 Jan 2016 15:23:05 +0000 sh bash 4.3_p42-r1 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 distcc 3.2rc1 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.3_p42-r1::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.22.1::gentoo dev-lang/python: 2.7.11-r2::gentoo, 3.4.3-r7::gentoo, 3.5.1-r2::gentoo dev-util/cmake: 3.4.1::gentoo dev-util/pkgconfig: 0.29::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.20.2::gentoo sys-apps/sandbox: 2.10-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r1::gentoo sys-devel/automake: 1.9.6-r4::gentoo, 1.11.6-r2::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r1::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.2.4-r1::gentoo, 4.9.3::gentoo, 5.3.0::gentoo sys-devel/gcc-config: 1.8::gentoo sys-devel/libtool: 2.4.6-r1::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.22-r1::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.de.gentoo.org/gentoo-portage/ priority: 1 local location: /usr/local/portage masters: gentoo priority: 2 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.3/conf /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/games/angband/gamedata/ /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/tmp/distfiles" EMERGE_DEFAULT_OPTS="--verbose-conflicts --deep --color=n --nospinner --tree --quiet-build --accept-properties=-interactive --accept-restrict=-fetch" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync network-sandbox news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo rsync://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gor.bytemark.co.uk/gentoo/ rsync://ftp.snt.utwente.nl/gentoo" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alisp alsa amd64 berkdb bluetooth branding bzip2 cairo cdb cdda cdr cli compat consolekit cracklib crypt cups cxx dbus declarative designer dri dts dvd dvdr egl eglfs emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gtk gudev iconv icu ipv6 jadetex jpeg kde kerberos kipi lcms ldap libnotify mad melt minizip mmx mmxext mng modules mp3 mp4 mpeg multilib mysql ncurses nls nptl objc ogg ois opengl openmp pam pango pax_kernel pcre pcre16 pdf phonon plasma png policykit postscript ppds qml qt3support qt4 qt5 readline sddm sdl seccomp semantic-desktop session spell spice sse sse2 ssh-askpass ssl ssse3 startup-notification svg tcpd tiff tk truetype udev udisks unicode upower usb usbredir vaapi video vorbis widgets x264 xattr xcb xcomposite xinerama xinetd xml xmlreader xscreensaver xv xvfb xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 423128 [details] dev-lang:julia-0.4.3:20160117-112354.log
Created attachment 423130 [details] emerge-history.txt
Created attachment 423132 [details] environment
julia heavily relies on JIT compilation techniques (using LLVM). I do not see any feasible way how to make this compatible with a sys-kernel/hardened-sources kernel with enabled W^X page protection. For the record. dev-lang/julia compiles and runs fine on a hardened profile without hardened kernel: Portage 2.2.26 (python 3.4.3-final-0, hardened/linux/amd64, gcc-5.3.0, glibc-2.21-r1, 4.4.0-gentoo x86_64) ================================================================= System uname: Linux-4.4.0-gentoo-x86_64-Intel-R-_Core-TM-_i7-4700MQ_CPU_@_2.40GHz-with-gentoo-2.2 KiB Mem: 16337848 total, 474572 free KiB Swap: 0 total, 0 free sh bash 4.3_p42-r1 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 ccache version 3.1.9 [disabled] app-shells/bash: 4.3_p42-r1::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.10-r1::gentoo, 3.4.3-r1::gentoo dev-util/ccache: 3.1.9-r4::gentoo dev-util/cmake: 3.4.0-r1::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.18.4::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.9.6-r4::gentoo, 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 5.3.0::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.21-r1::gentoo Repositories: crossdev location: /var/lib/crossdev masters: gentoo priority: -2000 gentoo location: /srv/gentoo sync-type: git sync-uri: git+ssh://git@git.gentoo.org/repo/gentoo.git priority: -1000 betagarden location: /srv/betagarden sync-type: git sync-uri: git+ssh://git@git.gentoo.org/proj/betagarden.git masters: gentoo science location: /srv/science sync-type: git sync-uri: git+ssh://git@git.gentoo.org/proj/sci.git masters: gentoo tamiko location: /srv/tamiko sync-type: git sync-uri: git+ssh://git@git.gentoo.org/repo/dev/tamiko.git masters: gentoo haskell location: /var/lib/layman/haskell masters: gentoo priority: 50 kde location: /var/lib/layman/kde masters: gentoo priority: 50 multimedia location: /var/lib/layman/multimedia masters: gentoo priority: 50 x11 location: /var/lib/layman/x11 masters: gentoo priority: 50 Installed sets: @basesystem, @crossdev, @desktop, @desktop-kde, @development, @games, @haskell, @texlive, @zoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/portage/package.accept_keywords/zz_local /etc/portage/package.license/zz_local /etc/portage/package.unmask/zz_local /etc/portage/package.use/zz_local /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--oneshot --ask --with-bdeps=y --buildpkg=y --jobs=6 --keep-going --autounmask-write" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg cgroup config-protect-if-modified distlocks fakeroot fixlafiles ipc-sandbox merge-sync network-sandbox news parallel-fetch parallel-install preserve-libs protect-owned sandbox sfperms sign splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://lug.mtu.edu/gentoo/ http://mirror.iawnet.sandia.gov/gentoo/" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8 -l10" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi afs alsa amd64 bashcomp berkdb bluetooth bzip2 caps cddb cdr cli cracklib crypt cups cxx dbus doc dri dvd dvdr dvdread encode exif ffmpeg flac gdbm gif gstreamer hardened iconv ipv6 jack jpeg justify kdbus kerberos lcms mad matroska mmx mmxext modules mp3 mpeg mplayer multilib ncurses networkmanager nls nptl ogg opengl openmp pam pax_kernel pcre phonon pic pie png policykit pulseaudio qt3support qt4 raw readline resolvconf samba seccomp session sse sse2 ssl ssp svg systemd tcpd theora tiff truetype udev unicode urandom vaapi vdpau vim-syntax vorbis wayland x264 xattr xft xinerama xtpax xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="*" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc efi-64" INPUT_DEVICES="evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="*" QEMU_USER_TARGETS="*" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="intel nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ah - right, I'll exclude this package now here at the tinderbox.
The julia ebuild already applies appropriate PaX markings to disable the PaX restrictions for the julia binaries, so julia ought to work fine on hardened systems, too. The build failure of dev-lang/julia-0.4.3 happens during the compilation of the bundled pcre2 package, which also has problems with PaX. The cleanest approach to solve this would be un-bundle pcre2 and equip its ebuild with a 'jit' USE flag (toggling the --enable-jit configure option). Therefore, could you please attempt to un-bundle pcre2?
pcre2 is available in the tree as dev-libs/libpcre2, so unbundling shouldn't be too hard.
