I have a server using kvm to boot multiple guest machines. server is currently running hardend-sources 4.7.10 (newer versions installed, but I haven't rebooted the server in a while) and qemu 2.9.0-r2. I recently restarted one of VMs and received this error message: # virsh start dev.c1pher.com error: Failed to start domain dev.c1pher.com error: unsupported configuration: QEMU 2.9.0 is too new for help parsing At first I thought it was a QEMU issue, so I tried downgrading to 2.8.1, but still received the same error. I then found this in the kernel log: May 27 16:51:12 c2 kernel: [17956773.881279] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-x86:5560] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 May 27 16:51:12 c2 kernel: [17956773.881317] grsec: Segmentation fault occurred at 00007571a0bbb000 in /usr/bin/qemu-system-x86_64[qemu-system-x86:5560] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 After some digging and experimenting, I found that this fixed the issue: # Convert PAX flags to current format paxctl -c /usr/bin/qemu-system-x86_64 # Disable MEMPROTECT paxctl -m /usr/bin/qemu-system-x86_64 # For reference, output list of current flags paxctl -v /usr/bin/qemu-system-x86_64 PaX control v0.9 - PaX flags: -----m-x-e-- [/usr/bin/qemu-system-x86_64] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled VM started fine after that. I upgraded to QEMU 2.9.0 and it broke again, but after running the above once more I was able to start it up. I'm nowhere near knowledgeable enough about this stuff to state that this is a gentoo problem and not an issue with my particular server, but based on current observations it appears that the correct flags are not being set on the QEMU binaries by portage, and each upgrade effectively breaks my VMs. Would appreciate someone looking into this. I'm happy to provide more info or test anything - just let me know what you'd like. Thanks.
PT PaX marking was dropped from binutils. You should switch to XATTR PaX marking. https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX
(In reply to Alexander Tsoy from comment #1) > PT PaX marking was dropped from binutils. Sorry, wording is incorrect. I mean binutils no longer create PT_PAX_FLAGS program header. pax-mark() from pax-utils.eclass also no longer try to create/convert PT_PAX_FLAGS header.
Hardened-sources no longer in the tree