Summary: | kde-base/kmail-4.11.0 denied RWX mmap | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Michael Rowell <lambda.tango> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | CC: | kde |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=483236 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Michael Rowell
2013-09-01 06:55:58 UTC
The same problem with kde-base/kmail-4.13.3. emerge --info Portage 2.2.12 (python 3.3.5-final-0, hardened/linux/amd64, gcc-4.7.3, glibc-2.19-r1, 3.13.8-hardened-r2 x86_64) ================================================================= System uname: Linux-3.13.8-hardened-r2-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.2 KiB Mem: 3988444 total, 2345112 free KiB Swap: 0 total, 0 free Timestamp of tree: Sat, 16 Aug 2014 17:15:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.2_p47 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.8, 3.2.5-r2, 3.3.5-r1, 3.4.1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r2 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.4, 1.14.1 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.7.3, 4.8.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2-r1 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo xmw luman voyageur ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA AdobeFlash-11.x skype-4.0.0.7-copyright" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="${CONFIG_PROTECT} /etc /etc/idea/conf /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=3.5" FCFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" GENTOO_MIRRORS="rsync://gentoo.mirror.dkm.cz/gentoo/ http://gentoo.mirror.dkm.cz/pub/gentoo/ rsync://ftp.fi.muni.cz/pub/linux/gentoo/ http://gentoo.supp.name/ http://gentoo.mirror.web4u.cz/" LANG="en_GB.utf8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="--jobs=5 --load-average=4.1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/xmw /var/lib/layman/luman /var/lib/layman/voyageur" SYNC="rsync://rsync.cz.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 avx bash-completion berkdb bzip2 cli cracklib crypt custom-cflags custom-cpuopts custom-optimization cxx dri dvb exif fam gdbm glamor hardened iconv ipv6 jit justify kde lm_sensors mmx modules multilib ncurses nls nptl opengl openmp pam pax_kernel pcre qt3support readline semantic-desktop session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 system-cairo system-icu tcpd unicode urandom uxa v4l vaapi vdpau wifi xa xcb xorg xtpax xv xvmc zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DVB_CARDS="usb-af9015" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_GB cs" NETBEANS_MODULES="enterprise java" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i965 nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON (In reply to Michael Rowell from comment #0) > KMail crashes on startup with vanilla-sources patched with grsec. Solution > is to > > paxctl-ng -m /usr/bin/kmail > Why are you not using a hardened-sources kernel? While I suspect that it might crash for the same reason on a hardened-sources kernel, I really can't reproduce the issue and so I'm not sure we're not comparing apples and oranges. (In reply to Anthony Basile from comment #2) > (In reply to Michael Rowell from comment #0) > > KMail crashes on startup with vanilla-sources patched with grsec. Solution > > is to > > > > paxctl-ng -m /usr/bin/kmail > > > > Why are you not using a hardened-sources kernel? While I suspect that it > might crash for the same reason on a hardened-sources kernel, I really can't > reproduce the issue and so I'm not sure we're not comparing apples and > oranges. In my case, because it was easier to apply Con Kolivas' patchset *before* grsec's. Less patch failures to correct. You may note that Ondřej *was* using hardened sources, along with a more recent version of kmail. Further, the problem here is that there are no PAX markings on the relevant KDE binaries (possibly because they didn't apply during emerge, I'm not sure because it's been a long time and I've stopped using grsec/PAX and KMail in the meantime, but I do seem to remember having such problems). Hence, they crash under a seemingly standard implementation of PAX (along with several other KDE binaries as per my other bug, #483236). So unless Hardened is significantly modifying PAX in such a way as to cause effective suppression of these errors, then I believe the *technically* correct course of action would be to apply the correct PAX markings in the ebuild. Correct me if I'm wrong. All that said, frankly I've stopped caring. No one responded to either bug, so I made do with paxctl'ing the relevant binaries everytime I upgraded KDE (but after running them once, to make sure they still crashed [they did]). I have long since stopped using PAX/GRSec, and further, my main Gentoo system is recently dead, so at present I can't really do anything else to help except to provide my recollection, as I have done here. Sorry. (In reply to Michael Rowell from comment #3) > (In reply to Anthony Basile from comment #2) > > (In reply to Michael Rowell from comment #0) > > > KMail crashes on startup with vanilla-sources patched with grsec. Solution > > > is to > > > > > > paxctl-ng -m /usr/bin/kmail > > > > > > > Why are you not using a hardened-sources kernel? While I suspect that it > > might crash for the same reason on a hardened-sources kernel, I really can't > > reproduce the issue and so I'm not sure we're not comparing apples and > > oranges. > > In my case, because it was easier to apply Con Kolivas' patchset *before* > grsec's. Less patch failures to correct. > > You may note that Ondřej *was* using hardened sources, along with a more > recent version of kmail. Further, the problem here is that there are no PAX > markings on the relevant KDE binaries (possibly because they didn't apply > during emerge, I'm not sure because it's been a long time and I've stopped > using grsec/PAX and KMail in the meantime, but I do seem to remember having > such problems). Hence, they crash under a seemingly standard implementation > of PAX (along with several other KDE binaries as per my other bug, #483236). Sorry it fell of my radar. I'll take care of it now. > > So unless Hardened is significantly modifying PAX in such a way as to cause > effective suppression of these errors, then I believe the *technically* > correct course of action would be to apply the correct PAX markings in the > ebuild. Correct me if I'm wrong. No, its a question of which version of the pax patches you're using. The pax patches themselves change over time, so if you apply your own, I can't figure out which version we're talking about. > > All that said, frankly I've stopped caring. No one responded to either bug, > so I made do with paxctl'ing the relevant binaries everytime I upgraded KDE > (but after running them once, to make sure they still crashed [they did]). I > have long since stopped using PAX/GRSec, and further, my main Gentoo system > is recently dead, so at present I can't really do anything else to help > except to provide my recollection, as I have done here. > > Sorry. Don't be afraid to ping me. I'm very busy and sometimes I overlook a bug. As noted in bug #483236, this only seem to be a problem on some video cards. We're still not 100% sure which cards work and which don't. Is this still an issue? |