Summary: | blackdown-jdk needs to detect and run chpax -p after installation | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Tim Haynes (RETIRED) <piglet> |
Component: | New packages | Assignee: | Java team <java> |
Status: | RESOLVED INVALID | ||
Severity: | enhancement | CC: | vapier |
Priority: | High | ||
Version: | 1.4_rc2 | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Tim Haynes (RETIRED)
![]() just because gradm is installed doesnt mean grsec is active in the kernel ... and i'd be against this ... i'd suggest adding an einfo to the end that says like 'if you are using grsecurity you may have to run chpax on the installed files' OK; in that case a more refined test would be the sysctl kernel.grsecurity.execve_limiting = 1, I think. that is, of course, if you enabled sysctl support (which is disabled by default) :) if [ -x /sbin/chpax ] ; then file /opt/blackdown-jdk-*/bin/* | grep ELF | cut -d : -f 1 | while read elf ; do /sbin/chpax -rsmp $elf ; done fi You could add checks in java itself.. But I feel this would be kinda a hackfix, as other programs such as XFree86 would also need the same thing. The gentoo way to do this would be to use PAGE_EXEC_EXEMPT= in /etc/conf.d/grsecurity. and rc-update add grsecurity default Note: Starting with the gradm-1.9.9h-r1.ebuild chpax will longer be distributed as part of gradm. emerge chpax java & pax chpax -rs alone does the trick. This bug should also be closed and any new ones that appear like this should be marked as invalid. Its up to the user to handle security and other thing in their system. Final note on this bug for archival reason. The PaX author says chpax -rsp is what java* needs for completeness not just -rs. Or (preferably) use the grsec ACL system. |