Created attachment 539686 [details, diff] chromium-68-ebuild.patch Ebuilds for chromium from release series 68.0 and above removed a critical piece of code in src_compile, reintroducing the problem seen in #605940 and therefore preventing the build of chromium under a grsecurity kernel with CONFIG_PAX_MPROTECT enabled (which should be the case in most grsecurity deployments). I'm attaching a patch for consideration, which reintroduces the code snippet making the build process work again under grsecurity kernels. For reference, this code snippet is also still present in the ebuild for chromium-67.0.3396.87.
I am no longer supporting PaX kernels.
I understand, but the current ebuilds still runs a pax-mark on the final chrome binary anyway. The patch I provided is essentially pax-marking two extra intermediate build products of the compile process. Is there any harm in doing that? Especially since we're talking about reintroducing code that already exists in stable chromium ebuilds (series 67), so not something new and potentially problematic.
Building the software in 3 phases makes it very difficult for me to get an accurate progress estimate while the build is taking place. It also has a tendency to defer dependency errors to later in the build process. Those issues could be resolved by patching the build system to pax-mark the intermediate binaries, and I would accept a patch to do that. Calling pax-mark once on the final binary doesn't interfere with my maintenance of the ebuild, so I left it in place. It may also be useful for building binaries on a non-PaX system that could later be installed on a PaX system.
*** Bug 662616 has been marked as a duplicate of this bug. ***
(In reply to Guillaume Ceccarelli from comment #0) > Created attachment 539686 [details, diff] [details, diff] > chromium-68-ebuild.patch This (deleted) patch works, thanks. Can you please attach it again, because for now this is only way to update chromium on hardened, and ability to update browser is important for security.
Nothing was deleted. Just click the "show obsolete" link.
*** Bug 663514 has been marked as a duplicate of this bug. ***
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5f6bd220d80055d4706b3832f0452d7ed18509c commit e5f6bd220d80055d4706b3832f0452d7ed18509c Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2018-08-25 20:26:37 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2018-08-25 20:26:55 +0000 www-client/chromium: restore pax-mark of intermediate targets Closes: https://bugs.gentoo.org/661282 Package-Manager: Portage-2.3.47, Repoman-2.3.10_p41 www-client/chromium/chromium-68.0.3440.106.ebuild | 12 ++++++++++++ www-client/chromium/chromium-68.0.3440.75.ebuild | 12 ++++++++++++ www-client/chromium/chromium-69.0.3497.42.ebuild | 12 ++++++++++++ www-client/chromium/chromium-70.0.3521.2.ebuild | 12 ++++++++++++ 4 files changed, 48 insertions(+)
