Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 447616

Summary: pax-utils.eclass from hardened-dev assumes that paxctl-ng supports pt_pax
Product: Gentoo Linux Reporter: Amadeusz Sławiński <amade>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 431092    

Description Amadeusz Sławiński 2012-12-17 17:01:00 UTC 
eclass seems to just check if paxctl-ng is installed but not if it is usable (ie build with pt_pax support)

[ebuild   R    ] dev-python/pypax-0.7.0  USE="xtpax -ptpax" 0 kB
[ebuild   R    ] sys-apps/elfix-0.7.0  USE="xtpax -ptpax {-test}" 0 kB

For example with valgrind pt_pax flags are incorrect:

 * PT PaX marking -m
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/cachegrind-amd64-linux
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/callgrind-amd64-linux
...
 * XT PaX marking -m
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/cachegrind-amd64-linux
 *      /var/tmp/portage/dev-util/valgrind-3.8.1/image//usr/lib64/valgrind/callgrind-amd64-linux
...


# paxctl-ng -v /usr/lib64/valgrind/callgrind-amd64-linux
/usr/lib64/valgrind/callgrind-amd64-linux:
	XT_PAX: -em--

# paxctl -v /usr/lib64/valgrind/callgrind-amd64-linux 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/lib64/valgrind/callgrind-amd64-linux]
	RANDEXEC is disabled
	EMUTRAMP is disabled

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux 
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XT_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux    
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	RANDEXEC is disabled
	EMUTRAMP is disabled


Reproducible: Always
Comment 1 Anthony Basile gentoo-dev 2012-12-17 17:42:00 UTC 
(In reply to comment #0)
> eclass seems to just check if paxctl-ng is installed but not if it is usable
> (ie build with pt_pax support)

good point thanks.
Comment 2 Anthony Basile gentoo-dev 2012-12-30 12:36:38 UTC 
(In reply to comment #1)
> (In reply to comment #0)
> > eclass seems to just check if paxctl-ng is installed but not if it is usable
> > (ie build with pt_pax support)
> 
> good point thanks.

Please test the eclass I just put on the hardened-dev overlay with =sys-apps/elfix-0.8.0 which is ~arch right now.
Comment 3 Amadeusz Sławiński 2012-12-31 13:01:19 UTC 
Looks like it works

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XATTR_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux 
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
Comment 4 Anthony Basile gentoo-dev 2013-02-10 01:40:10 UTC 
(In reply to comment #3)
> Looks like it works
> 
> # paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
> /usr/lib64/valgrind/cachegrind-amd64-linux:
> 	XATTR_PAX: -em--
> 
> # paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux 
> PaX control v0.7
> Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team
> <pageexec@freemail.hu>
> 
> - PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
> 	MPROTECT is disabled
> 	RANDEXEC is disabled
> 	EMUTRAMP is disabled

I've had to update the eclass for bug #445948.  It works for me.  If you have the chance, can you test again.  Use elfix-0.8.1 and the eclass from the hardened-dev overlay at

http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=fdc7769e014e3e4de8ebd0ae8896a1a83dc47c03;hb=3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b
Comment 5 Amadeusz Sławiński 2013-02-10 14:14:55 UTC 
[ebuild   R    ] sys-apps/elfix-0.8.1  USE="xtpax -ptpax" 0 kB

It still works fine

# paxctl-ng -v /usr/lib64/valgrind/cachegrind-amd64-linux
/usr/lib64/valgrind/cachegrind-amd64-linux:
	XATTR_PAX: -em--

# paxctl -v /usr/lib64/valgrind/cachegrind-amd64-linux
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/lib64/valgrind/cachegrind-amd64-linux]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
Comment 6 Anthony Basile gentoo-dev 2013-02-10 14:24:31 UTC 
Thanks