Bug 475244

Summary:	media-video/mplayer is killed by pax on non-hardened profile
Product:	Gentoo Linux	Reporter:	Agostino Sarubbo <ago>
Component:	Current packages	Assignee:	Gentoo Media-video project <media-video>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	hardened, nikoli
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2013-06-29 18:06:34 UTC

Jun 29 20:03:45 devil kernel: grsec: denied RWX mprotect of /usr/lib/libmpg123.so.0.36.6 by /usr/bin/mplayer[mplayer:2058] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/smplayer[smplayer:2009] uid/euid:1000/1000 gid/egid:1000/1000


Portage 2.1.12.11 (default/linux/x86/13.0, gcc-4.6.3, glibc-2.15-r3, 3.2.42-hardened-r1 i686)
=================================================================                                                                                                                   
System uname: Linux-3.2.42-hardened-r1-i686-Intel-R-_Celeron-R-_M_CPU_430_@_1.73GHz-with-gentoo-2.2                                                                                 
KiB Mem:     2060284 total,    199388 free                                                                                                                                          
KiB Swap:    2097148 total,   2059860 free                                                                                                                                          
Timestamp of tree: Sat, 29 Jun 2013 16:30:01 +0000                                                                                                                                  
ld GNU ld (GNU Binutils) 2.22                                                                                                                                                       
app-shells/bash:          4.2_p45                                                                                                                                                   
dev-lang/python:          2.7.3-r3                                                                                                                                                  
dev-util/cmake:           2.8.10.2-r2                                                                                                                                               
dev-util/pkgconfig:       0.28                                                                                                                                                      
sys-apps/baselayout:      2.2                                                                                                                                                       
sys-apps/openrc:          0.11.8                                                                                                                                                    
sys-apps/sandbox:         2.6-r1                                                                                                                                                    
sys-devel/autoconf:       2.13, 2.69                                                                                                                                                
sys-devel/automake:       1.10.3, 1.11.6, 1.12.6                                                                                                                                    
sys-devel/binutils:       2.22-r1                                                                                                                                                   
sys-devel/gcc:            4.6.3                                                                                                                                                     
sys-devel/gcc-config:     1.7.3                                                                                                                                                     
sys-devel/libtool:        2.4-r1                                                                                                                                                    
sys-devel/make:           3.82-r4                                                                                                                                                   
sys-kernel/linux-headers: 3.7 (virtual/os-headers)                                                                                                                                  
sys-libs/glibc:           2.15-r3                                                                                                                                                   
Repositories: gentoo x-portage                                                                                                                                                      
ACCEPT_KEYWORDS="x86"                                                                                                                                                               
ACCEPT_LICENSE="*"                                                                                                                                                                  
CBUILD="i686-pc-linux-gnu"                                                                                                                                                          
CFLAGS="-O2 -march=pentium-m -g0"                                                                                                                                                   
CHOST="i686-pc-linux-gnu"                                                                                                                                                           
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0"        
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"                    
CXXFLAGS="-O2 -march=pentium-m -g0"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y"
FCFLAGS="-O2"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="it_IT.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl acpi alsa apic bash-completion berkdb bzip2 cairo cli consolekit cracklib crypt custom-cflags custom-optimization cxx dbus dri dvd extras ffmpeg fortran gdbm gpm gtk gudev hwdb iconv jpeg jpeg2k kde kmod lame lm_sensors mad minizip mmx modules mp3 mudflap ncurses networkmanager nptl nsplugin opengl openmp openrc pam pax_kernel pcre pic png policykit qt3support qt4 readline semantic-desktop session sse sse2 ssl svg symlink tcpd theora threads tiff udev unicode vorbis x264 x86 xvid zlib" ABI_X86="32" ALSA_CARDS="hda-intel" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LINGUAS="en en_GB" OFFICE_IMPLEMENTATION="libreoffice" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" USERLAND="GNU" VIDEO_CARDS="intel"
USE_PYTHON="2.7"

Comment 1 Magnus Granberg gentoo-dev

2013-06-30 00:51:25 UTC

Disable mmx on libmpg123 see bug #164504
Retest with mmx of on libmpg123

Comment 2 Agostino Sarubbo gentoo-dev

2013-06-30 01:12:47 UTC

(In reply to Magnus Granberg from comment #1)
> Disable mmx on libmpg123 see bug #164504
> Retest with mmx of on libmpg123


Same result.

Comment 3 Nikoli 2013-07-07 13:29:44 UTC

Which mplayer video output and video driver you are using? opengl apps do not work without pax marking with nouveau driver bug #383989

Why you are using pax enabled kernel with non hardened profile?! hardened-sources may kill any bin, which is not compiled by hardened toolchain. This is told in hardened handbook.

Comment 4 Agostino Sarubbo gentoo-dev

2013-07-07 13:34:52 UTC

(In reply to Nikoli from comment #3)
> Which mplayer video output and video driver you are using? opengl apps do
> not work without pax marking with nouveau driver bug #383989
Intel

> Why you are using pax enabled kernel with non hardened profile?!
Why not?

> hardened-sources may kill any bin, which is not compiled by hardened
> toolchain. This is told in hardened handbook.

Why hardened-sources should kill any bin?
I don't guess so. For what are you saying grsecurity should be designed only for gentoo hardened... I see grsecurity enabled on the other distros which there isn't an hardened toolchain.

Comment 5 Alexis Ballier gentoo-dev

2013-08-02 16:52:57 UTC

(In reply to Agostino Sarubbo from comment #2)
> (In reply to Magnus Granberg from comment #1)
> > Disable mmx on libmpg123 see bug #164504
> > Retest with mmx of on libmpg123
> 
> 
> Same result.

post the output then; if libmpg123 still has textrels you should post in the relevant bug

(In reply to Agostino Sarubbo from comment #4)
> > hardened-sources may kill any bin, which is not compiled by hardened
> > toolchain. This is told in hardened handbook.
> 
> Why hardened-sources should kill any bin?
> I don't guess so. For what are you saying grsecurity should be designed only
> for gentoo hardened... I see grsecurity enabled on the other distros which
> there isn't an hardened toolchain.

it has nothing to do with hardened toolchain; you can very well build pic shared libs with a standard toolchain, and this is actually gentoo policy recommendations. some packages provide heavily optimised asm that is not pic and this is exactly what you are hitting. as gentoo, we decide to provide choice and by default we chose the best for everyone: the fastest code. if you want to disallow non pic libraries (which is what you are doing with your grsec kernel but do not seem to understand the implications) without hardened profile then you are basically on your own and should be able to disable/mask the offending useflags. those are supposed to be masked on hardened profile for this very preceise reason.

*** This bug has been marked as a duplicate of bug 164504 ***