Summary: | app-arch/zpaq-4.04 execution attempt in: <anonymous mapping> | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Marcin Mirosław <bug> |
Component: | Current packages | Assignee: | Michał Górny <mgorny> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hardened |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marcin Mirosław
2012-04-10 21:31:57 UTC
# emerge --info FEATURES variable contains unknown value(s): Xkeepwork, Xprofile, Xtest, profile-use Portage 2.2.0_alpha100 (hardened/linux/amd64, gcc-4.5.3, glibc-2.13-r4, 3.3.1-hardened x86_64) ================================================================= System uname: Linux-3.3.1-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.0.3 Timestamp of tree: Tue, 10 Apr 2012 21:00:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo Installed sets: ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O0 -g -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O0 -g -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --quiet-build=n" FEATURES="Xkeepwork Xprofile Xtest assume-digests binpkg-logs ccache collision-protect distlocks ebuild-locks fail-clean fixlafiles news parallel-fetch preserve-libs profile-use protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="" GENTOO_MIRRORS="http://gentoo.mneisen.org/" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="pl en" MAKEOPTS="-j2 -l2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acpi amd64 apache2 bash-completion caps hardened idn iproute2 ipv6 mmap mmx mmxext modules multilib nls openmp openssl smp sse sse2 sse3 sse4 sse4a ssse3 syslog threads threadsafe unicode urandom vhosts vim-syntax xtpax" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon auth_digest authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user cache cgid dav dav_fs dav_lock dir env expires ext_filter filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" KERNEL="linux" LINGUAS="pl en" NGINX_MODULES_HTTP="access browser charset gzip map limit_zone proxy rewrite stub_status" PHP_TARGETS="php5-3" USERLAND="GNU" XTABLES_ADDONS="geoip ipset6 psd sysrq tarpit" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON I'll probably just add USE=jit for it. Ok, libzpaq now has USE=jit. I dunno how to handle Hardened issues, I guess either package has to get some special powers or they could just mask libzpaq[jit] in Hardened profile. Marcin did it work with the jit flag of? Yes, zpaq (libzpaq) with "-jit" works on hardened system. Could someone retry with the current 7.* version, and see if pax-marking helps? (In reply to Michał Górny from comment #6) > Could someone retry with the current 7.* version, and see if pax-marking > helps? Yes, someone can retry;) It works almost good. On hardened kernel, using lipzpaq[-jit] it looks that works correctly: (readding the same file): $ zpaq add test /usr/portage/distfiles/mysql-5.6.30.tar.gz zpaq v7.04 journaling archiver, compiled May 24 2016 test.zpaq: 4 versions, 1 files, 484 fragments, 30.829637 MB Adding 0.000000 MB in 0 files -method 14 -threads 4 at 2016-05-24 10:28:13. 0 +added, 0 -removed. 30.829637 + (0.000000 -> 0.000000 -> 0.000104) = 30.829741 MB 0.035 seconds (all OK) When libzpaq is compiled with USE=jit then I'm getting: $ zpaq add test /usr/portage/distfiles/mysql-5.6.30.tar.gz zpaq v7.04 journaling archiver, compiled May 24 2016 test.zpaq: Skipping block at 30827124: allocx failed 5 versions, 0 files, 484 fragments, 30.829741 MB Adding 32.223818 MB in 1 files -method 14 -threads 4 at 2016-05-24 10:31:29. 100.00% 0:00:00 + /usr/portage/distfiles/mysql-5.6.30.tar.gz 32223818 -> 0 1 +added, 0 -removed. 30.829741 + (32.223818 -> 0.000000 -> 0.002513) = 30.832254 MB 0.871 seconds (with errors) and kernel throws: 2016-05-24T12:31:29.852459+02:00 jowisz kernel: [432572.787418] grsec: From 194.zz.xx.yy: denied RWX mmap of <anonymous mapping> by /usr/bin/zpaq[zpaq:19569] uid/euid:1000/1000 gid/egid:1000/1000, parent /b in/bash[bash:14229] uid/euid:1000/1000 gid/egid:1000/1000 Could you try to play a bit with PaX flags to see which ones make jit work? With "-m disable MPROTECT" on /usr/bin/zpaq zpaq works with app-arch/libzpaq[jit] commit 2c9e3ae1f1afaf8eefb25ed43ba4a077eab3d92f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Sun Jul 3 15:27:43 2016 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Sun Jul 3 15:29:24 2016 app-arch/zpaq: Fix Hardened w/ USE=jit, #411521 Should be fixed now (in 7.13-r1). Thank you. |