| Summary: | php-core fails to configure when kernel uses PAX/grsecurity patch | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Axel Reimann <axel.privat> |
| Component: | New packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I'm guessing you never chpax'd your bins. peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/java peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javac peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javadoc peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javah peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/idlj peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/keytool peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jarsigner peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/policytool peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/kinit peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/klist peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/ktab peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jar peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/appletviewer peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmic peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmiregistry peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmid peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javap peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/native2ascii peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/serialver peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/orbd peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/servertool peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/tnameserv peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/extcheck peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jdb pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/java pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/keytool pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/policytool pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/kinit pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/klist pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/ktab pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/rmiregistry pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/rmid pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/orbd pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/servertool pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/tnameserv pemRxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/java_vm ----------------------------------------------------------------- Try chpax -zpemRxs /opt/blackdown-jdk-*/bin/* /opt/blackdown-jdk-*/jre/bin/* And then try to emerge the php again. Err try to make those pax flags just -zrsp That's right, chpax was not even installed (Shouldn't it, on the other hand, get installed automatically if I choose a grsec kernel?). After emerging chpax and setting the flags as you proposed, php-core installs fine. Now I've only got to study the man page to find out what exactly I was doing with the -zrsp flag combination. :) Thank you for you quick response! P.S.: Just another thought: what good are kernel enforced security flags if I can simply disable them with a funny li'l binary? Well, that's off topic here I guess. :) |
The php-core ebuild seems to use java-config to determine the JDK version. While doing so it requires (for whatever reason) write access to /proc/self/maps. The kernel's grsecurity feature prohibits write access to /proc/self when set to medium strength. Reproducible: Always Steps to Reproduce: 1. install kernel with grsecurity patch 2. set grsecurity e.g. to medium strength 3. emerge php-core Actual Results: Calculating dependencies ...done! >>> emerge (1 of 1) dev-php/php-core-4.3.4-r2 to / >>> md5 src_uri ;-) php-4.3.4.tar.bz2 >>> md5 src_uri ;-) php-4.3.2-fopen-url-secure.patch >>> Unpacking source... >>> Unpacking php-4.3.4.tar.bz2 to /var/tmp/portage/php-core-4.3.4-r2/work >>> Source unpacked. * You have dev-php/php installed, so we're cheating and using it * instead of rebuilding the CLI SAPI to make PEAR packages. * configure will still be run to build the required Makefiles. * JDK version: ACCESS DENIED open_wr: /proc/self/maps * Please ensure that you have a JDK with a version of at least * 1.4 selected using java-config !!! ERROR: dev-php/php-core-4.3.4-r2 failed. !!! Function php_check_java_config, Line 175, Exitcode 0 !!! (no error message) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-php-core-4.3.4-r2-9745.log" open_wr: /proc/self/maps open_wr: /proc/self/maps open_wr: /proc/self/maps -------------------------------------------------------------------------------- Expected Results: a clean merge without writing to /proc/self