From the blackdown-jdk-1.4.2.01.ebuild script there is a missing variable: CHPAX_CONSERVATIVE_FLAGS. Without this in a hardened-dev kernel the java bins crash with a heap error. I need to fix it manually with the `chpax -rsp /opt/blackdown-jdk-1.4.2.01/bin/java` command. But this is inside (on the end) of the ebuild script, but the setting of the variable is missing somewhere. When is put into the top of the script this line, it will be ok: CHPAX_CONSERVATIVE_FLAGS="rsp" You use it, but you don't set it, this is the problem. Reproducible: Always Steps to Reproduce: 1. emerge blackdown-jdk Portage 2.0.51-r8 (hardened/x86/2.6, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.7- hardened-r9 i686) ================================================================= System uname: 2.6.7-hardened-r9 i686 Pentium III (Katmai) Gentoo Base System version 1.6.8 Python: dev-lang/python-2.3.4 [2.3.4 (#1, Oct 15 2004, 14:16:20)] dev-lang/python: 2.3.4 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.5, 1.8.5-r2, 1.6.3, 1.7.9, 1.4_p6, 1.9.3 sys-devel/binutils: 2.15.92.0.2-r2 sys-devel/libtool: 1.5.10-r2 virtual/os-headers: 2.6.8.1-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=i686 -mtune=i686 -fPIC -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share /config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -mtune=i686 -fPIC -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache distlocks fixpackages sandbox" GENTOO_MIRRORS="http://gentoo.mirror.icd.hu/ http://www.gigaload.org/gentoo.org/ ftp://ftp.gentoo.mesh- solutions.com/gentoo/ ftp://mirror.nutsmaas.nl/gentoo/ ftp://linux.rz.ruhr-uni- bochum.de/gentoo-mirror/ ftp://212.219.56.146/sites/www.ibiblio.org/gentoo/ http://linux.rz.ruhr-uni-bohum.de/download/gentoo-mirror/" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="aac accounting acl acpi4linux adns apache2 apm bcmath berkdb bzlib calendar cdparanoia cdr cdrom clamac clamav crypt ctype cups curl curlwrappers dba dbase dbm devfs devfs26 dhcp dio dlloader dv dvb dvd dvdr dvdread encode erandom exif f77 fam freetype fs ftp gcj gd gdbm geoip gif gmp gnutls hal hardened iconv image imagemagick imap inifile innodb intl ipv6 java javascript jikes jpeg jpeg2k junit jython ldap lesstif libg++ libwww live lm_sensors lzo lzw lzw-tiff mcal memlimit mhash mime mmap mmx mmx2 mng mp3 mpeg mpeg4 ncurses nethack network nls nptl ntlm objc odbc oggvorbis openal openssh pam parse- clocks pcap pcntl pcre pdf pdflib perl pic pie png pnp posix postgres pthreads pwdb python readline recode samba sasl shared sharedmem simplexml skey slang slp smime sms snmp sockets softquota spell squid ssl svg sysvipc tcpd threads tiff transcode truetype type1 unicode usb userlocales virus-scan wmf x86 xfs xinetd xml xml2 xmlrpc xpm zlib"
This bug prevents the "emerge world" or "emerge system" command from be succesfully completed on gentoo-dev-hardened sources with PaX or GrSec-chroot (even gentoo-sources)jail enabled, case as just written - javac is being killed for resource overstep. The package witch returns the error is one next after blakcdown-jdk - db4.
hardened does not maintain java. java is not in any of our default profiles. We have stated in several bugs what must be done to work around java. It's now up to our java team todo the right thing. Reassigning to java@
I guess we should be more explicit about not having the capacity to maintain java for hardened systems.
fixed, thanks for the report.
