Bug 461798

Summary:	x11-drivers/ati-drivers-13.1: check if CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is disabled, paxmark /opt/bin/aticonfig
Product:	Gentoo Linux	Reporter:	Nikoli <nikoli>
Component:	Current packages	Assignee:	Gentoo X packagers <x11>
Status:	RESOLVED WONTFIX
Severity:	normal	CC:	hardened, jekarlson, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Nikoli 2013-03-15 10:40:05 UTC

1) If pax_kernel is enabled, ebuild should check that CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is disabled and suggest enabling CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR instead.
fglrx kernel module builds fine if PAX_KERNEXEC_PLUGIN_METHOD_BTS is enabled, but _silently_ (no error or message in dmesg) fails to load because it is not gpl compatible. modprobe fglrx will fail with this error:

modprobe: ERROR: could not insert 'fglrx': Exec format error

After googling i found
https://forums.gentoo.org/viewtopic-t-922748-start-0.html


2) It is not possible to create xorg.conf with 'aticonfig --initial', because /opt/bin/aticonfig is not pax marked and is killed:

aticonfig: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted

dmesg:

grsec: denied RWX mmap of /usr/lib64/opengl/ati/lib/libGL.so.1.2 by /opt/bin/aticonfig[aticonfig:3496] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2807] uid/euid:0/0 gid/egid:0/0

You can use skype ebuild as example. In future it could be better to start using xattr feature of filesystems instead of creating PT_PAX_FLAGS header and modifying file.

3) Something about bug #393177 could be done, like adding (with some updates) howto from comment 1

Comment 1 Nikoli 2013-03-15 11:01:03 UTC

Also '/usr/bin/fgl_glxgears' needs pax marking.

Comment 2 emil karlson 2013-03-16 14:36:57 UTC

Are you sure about this, I checked the code and there really is

#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
        if (!license || !license_is_gpl_compatible(license))
                return -ENOEXEC;
#endif

Perhaps CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is the option that should be disabled?

Comment 3 Nikoli 2013-03-16 16:18:22 UTC

Sorry, it was typo. You are right.

Comment 4 emil karlson 2013-03-16 19:36:49 UTC

Greetings, can you test ati-drivers-13.2-beta7 from x11 overlay.

It refers to revdep-pax in postinst message that should solve most of the remaining problems - please note, if I am missing something.

Comment 5 Nikoli 2013-03-23 17:40:55 UTC

I did not try beta ebuild yet, but i did try running commands from it.
1) Are sure that 'pax-mark Cm "${D}"/usr/lib*/opengl/ati/lib/libGL.so.1.2' works fine for you? Please check also output of paxctl -v and paxctl-ng -v:
# paxctl -Cm /usr/lib*/opengl/ati/lib/libGL.so.1.2
file /usr/lib64/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program header, creation failed
file /usr/lib/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program header, creation failed
# paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2
/usr/lib64/opengl/ati/lib/libGL.so.1.2:
        PT_PAX   : not found
        XATTR_PAX: not found

/usr/lib/opengl/ati/lib/libGL.so.1.2:
        PT_PAX   : not found
        XATTR_PAX: not found

'paxctl-ng -m' works fine for me, but creates only xattr marking:
# paxctl-ng -m /usr/lib*/opengl/ati/lib/libGL.so.1.2
# paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2
/usr/lib64/opengl/ati/lib/libGL.so.1.2:
        PT_PAX   : not found
        XATTR_PAX: -em--

/usr/lib/opengl/ati/lib/libGL.so.1.2:
        PT_PAX   : not found
        XATTR_PAX: -em--


2) Using 'revdep-pax -s libGL.so.1 -me' has 2 problems:
1) It does not create PT_PAX_FLAGS program header, for all bins in /opt/ it will use only xattr marking. You need to check in ebuild if kernel was compiled with CONFIG_PAX_XATTR_PAX_FLAGS=y.
2) After 'su' $PATH will not have /opt/bin, /opt/sbin and /usr/games/bin, revdep-pax will not mark aticonfig, amdcccle and most of bins from ati-drivers. Please add info about $PATH to postinst and pax-mark all linked to libGL.so.1 bins in src_install.

Comment 6 Anthony Basile gentoo-dev

2013-03-23 18:47:27 UTC

(In reply to comment #5)
> I did not try beta ebuild yet, but i did try running commands from it.
> 1) Are sure that 'pax-mark Cm "${D}"/usr/lib*/opengl/ati/lib/libGL.so.1.2'
> works fine for you? Please check also output of paxctl -v and paxctl-ng -v:
> # paxctl -Cm /usr/lib*/opengl/ati/lib/libGL.so.1.2
> file /usr/lib64/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS
> program header, creation failed
> file /usr/lib/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program
> header, creation failed
> # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2
> /usr/lib64/opengl/ati/lib/libGL.so.1.2:
>         PT_PAX   : not found
>         XATTR_PAX: not found
> 
> /usr/lib/opengl/ati/lib/libGL.so.1.2:
>         PT_PAX   : not found
>         XATTR_PAX: not found
> 
> 'paxctl-ng -m' works fine for me, but creates only xattr marking:
> # paxctl-ng -m /usr/lib*/opengl/ati/lib/libGL.so.1.2
> # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2
> /usr/lib64/opengl/ati/lib/libGL.so.1.2:
>         PT_PAX   : not found
>         XATTR_PAX: -em--
> 
> /usr/lib/opengl/ati/lib/libGL.so.1.2:
>         PT_PAX   : not found
>         XATTR_PAX: -em--
> 
> 
> 2) Using 'revdep-pax -s libGL.so.1 -me' has 2 problems:
> 1) It does not create PT_PAX_FLAGS program header, for all bins in /opt/ it
> will use only xattr marking. You need to check in ebuild if kernel was
> compiled with CONFIG_PAX_XATTR_PAX_FLAGS=y.
> 2) After 'su' $PATH will not have /opt/bin, /opt/sbin and /usr/games/bin,
> revdep-pax will not mark aticonfig, amdcccle and most of bins from
> ati-drivers. Please add info about $PATH to postinst and pax-mark all linked
> to libGL.so.1 bins in src_install.

Looks like paxctl can't create a PT_PAX phdr and I designed paxctl-ng to NOT create the phdr.  Consequently revdep-pax can't either.  Looks like this will have to be marked via xattr only.

Comment 7 Matt Turner gentoo-dev

2017-03-15 19:34:08 UTC

x11-drivers/ati-drivers has been removed, per bug 582406.