Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461668

Summary: net-im/skype-4.1.0.20 masked on hardened
Product: Gentoo Linux Reporter: Märt Bakhoff <mbakhoff>
Component: EclassesAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED OBSOLETE    
Severity: normal CC: alexander, joost, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://jira.skype.com/browse/SCL-616
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 427888    
Bug Blocks:    

Description Märt Bakhoff 2013-03-13 21:16:39 UTC 
Once upon a time skype made it impossible to paxmark skype's executable by doing integrity checks on startup. Without pax marking skype got killed by mprotect and skype was masked on hardened. 

At about June 2012 CONFIG_PAX_XATTR_PAX_FLAGS was introduced in pax kernels. That option would allow skype to be paxmarked using filesystem xattrs without modifying the executable. Since then paxmarking skype is possible and version 4.1.0.20 (and earlier) works fine with gentoo hardened. 

Unmask skype on hardened?

Reproducible: Always

Steps to Reproduce:
1. build hardened kernel with CONFIG_PAX_XATTR_PAX_FLAGS
2. successfully paxmark skype executable
3. successfully run skype
Comment 1 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2013-03-14 15:42:37 UTC 
Work is ongoing to finally get Xattr base markings and blueness is working on a eclass that can be used afterwards. Until then the mask should stay.
Comment 2 Alexander Tsoy 2013-03-14 15:47:48 UTC 
Skype works fine with PT_PAX markings so I don't understand why this depends on bug 427888
Comment 3 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2013-03-14 16:31:22 UTC 
Because that's not the case for the older versions which are also on the tree.
Comment 4 J. Roeleveld 2014-08-27 05:32:43 UTC 
I believe this bug can be closed as it's for an older version.
Additionally, Skype versions before 4.3 can no longer connect.
(I received the email about this in Dutch, please let me know if you want a copy)
Comment 5 Alex 2014-08-29 16:26:30 UTC 
But skype-4.3.0.37 ebuild is still masked on hardened.
It works fine though, if you put PAX_MARKINGS="XT".

As older skype version can not connect, this is the only way I found to make skype work with hardened kernel.