Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920838 - dev-lang/ghc-9.2.8 fails to prepare source on PaX enabled systems USE=-ghcbootstrap
Summary: dev-lang/ghc-9.2.8 fails to prepare source on PaX enabled systems USE=-ghcboo...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Haskell Language team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-27 23:22 UTC by Attila Tóth
Modified: 2023-12-28 03:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
ghc-9.2.8.ebuild.2.diff (ghc-9.2.8.ebuild.2.diff,844 bytes, patch)
2023-12-27 23:23 UTC, Attila Tóth 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Attila Tóth 2023-12-27 23:22:24 UTC 
>>> Preparing source in /var/tmp/portage/dev-lang/ghc-9.2.8/work/ghc-9.2.8 ...
renamed '/var/tmp/portage/dev-lang/ghc-9.2.8/work/ghc-9.0.2-r4/image/usr' -> '/var/tmp/portage/dev-lang/ghc-9.2.8/work/usr'
 * XATTR_PAX marking -m /var/tmp/portage/dev-lang/ghc-9.2.8/work/usr/lib64/ghc-9.0.2/bin/ghc with paxctl-ng
/var/tmp/portage/dev-lang/ghc-9.2.8/work/usr/lib64/ghc-9.0.2/bin/ghc-pkg: error while loading shared libraries: libHSrts-ghc9.0.2.so: cannot enable executable stack as shared object requires: Permission denied
 * ERROR: dev-lang/ghc-9.2.8::gentoo failed (prepare phase):
 *   failed to update cache after relocation
 *
 * Call stack:
 *     ebuild.sh, line  136:  Called src_prepare
 *   environment, line 4501:  Called relocate_ghc '/var/tmp/portage/dev-lang/ghc-9.2.8/work' '9.0.2'
 *   environment, line 4241:  Called die
 * The specific snippet of code:
 *       "$gp_back" recache || die "failed to update cache after relocation";
 *

kernel: grsec: [localhost] denied RWX mprotect of <stack> by /var/tmp/portage/dev-lang/ghc-9.2.8/work/usr/lib64/ghc-9.0.2/bin/ghc-pkg[ghc-pkg:12262] uid/euid:250/250 gid/egid:250/250, parent /bin/bash[bash:12122] uid/euid:250/250 gid/egid:250/250

Reproducible: Always




An additional pax-marking for ghc-pkg must be added on top of ghc already there.
--- ghc-9.2.8.ebuild-orig       2023-12-27 11:10:23.000000000 +0100
+++ ghc-9.2.8.ebuild-dwok       2023-12-27 11:11:31.663711076 +0100
@@ -555,6 +555,7 @@ src_prepare() {
                        # ghci uses mmap with rwx protection at it implements dynamic
                        # linking on it's own (bug #299709)
                        pax-mark -m "${WORKDIR}/usr/$(get_libdir)/${PN}-${bin_pv}/bin/ghc"
+                       pax-mark -m "${WORKDIR}/usr/$(get_libdir)/${PN}-${bin_pv}/bin/ghc-pkg"
                fi
        fi


I'd also suggest some pax-markings for ghc-pkg and ghc-cabal after compilation, however the changes may be redundant:
@@ -865,6 +866,12 @@ src_compile() {
                fi
                # 3. and then all the rest
                emake all
+               pax-mark -m utils/ghc-pkg/dist/build/tmp/ghc-pkg
+               pax-mark -m utils/ghc-pkg/dist-install/build/tmp/ghc-pkg
+               pax-mark -m inplace/lib/bin/ghc-pkg
+               pax-mark -m utils/ghc-cabal/dist/build/tmp/ghc-cabal
+               pax-mark -m utils/ghc-cabal/dist-install/build/tmp/ghc-cabal
+               pax-mark -m inplace/bin/ghc-cabal
        fi # ! use binary
 }
Comment 1 Attila Tóth 2023-12-27 23:23:10 UTC 
Created attachment 880787 [details, diff]
ghc-9.2.8.ebuild.2.diff

Proposed patch lets ghc-9.2.8 prepared and compiled on PaX enabled systems.