| Summary: | app-portage/layman-2.3.0-r1 fails to build for python-3.5 on hardened ~amd64 with gcc-5.2.0 | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Markus Walter <gentoo> |
| Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
emerge --info
build log |
||
Created attachment 417816 [details]
build log
Check what your kernel config say for pax flags settings and what python 3.5 have for marks. (In reply to Magnus Granberg from comment #2) > Check what your kernel config say for pax flags settings and what > python 3.5 have for marks. So, we have zaphod ~ # zgrep -i pax /proc/config.gz CONFIG_PAX_USERCOPY_SLABS=y # PaX CONFIG_PAX=y # PaX Control # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_XATTR_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set # CONFIG_PAX_KERNEXEC is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # CONFIG_PAX_MEMORY_SANITIZE is not set CONFIG_PAX_MEMORY_STACKLEAK=y CONFIG_PAX_MEMORY_STRUCTLEAK=y # CONFIG_PAX_MEMORY_UDEREF is not set CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y # CONFIG_PAX_USERCOPY_DEBUG is not set CONFIG_PAX_SIZE_OVERFLOW=y CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y # CONFIG_PAX_LATENT_ENTROPY is not set for the kernel config and zaphod ~ # paxctl-ng -v /usr/bin/python3.5 /usr/bin/python3.5: open(O_RDWR) failed: cannot change PT_PAX flags PT_PAX : -e--- XATTR_PAX : not found for the python executable. The error did not occur for python3.4, where I get the following zaphod ~ # paxctl-ng -v /usr/bin/python3.4 /usr/bin/python3.4: PT_PAX : -E--- XATTR_PAX : -E--- I already tried merging python again. Interestingly it does not seem to affect any other python process. Do you have any build log on python 3.5? what use flags on elfix? (In reply to Magnus Granberg from comment #4) > Do you have any build log on python 3.5? > what use flags on elfix? Okay, this is somewhat strange, after some tinkering it works. I looked at the python build log and did not see anything special. However looking at the system log showed some more denied RWX mmaps. So I rebuilt python3.5 (which is the system default), this time invoking portage with python3.4, the 'open(O_RDWR) failed: cannot change PT_PAX flags' vanished, however the file had the same marks as in comment 3. A 'paxctl-ng -E /usr/bin/python3.5' fixed this and now layman merges just fine. Thanks for nudging me in the right direction and sorry for this glitch. |
Created attachment 417814 [details] emerge --info On my hardened ~amd64 system with gcc-5.2.0 I see the following problem when merging layman. * python3_5: running distutils-r1_run_phase distutils-r1_python_compile /usr/bin/python3.5 setup.py build /var/tmp/portage/app-portage/layman-2.3.0-r1/temp/environment: line 1639: 18683 Segmentation fault "${@}" The corresponding system log is Nov 25 09:43:32 zaphod kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python3.5/emerge[emerge:17788] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4167] uid/euid:0/0 gid/egid:0/0 Nov 25 09:43:37 zaphod kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/python3.5[python3.5:18683] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python3.5/ebuild.sh[ebuild.sh:18591] uid/euid:250/250 gid/egid:250/250 Nov 25 09:43:37 zaphod kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/python3.5[python3.5:18683] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python3.5/ebuild.sh[ebuild.sh:18591] uid/euid:250/250 gid/egid:250/250 Nov 25 09:43:37 zaphod kernel: python3.5[18683]: segfault at c ip 0000689ea84ea851 sp 0000770d7b447290 error 6 in libffi.so.6.0.4[689ea84e3000+9000] Nov 25 09:43:37 zaphod kernel: grsec: Segmentation fault occurred at 000000000000000c in /usr/bin/python3.5[python3.5:18683] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python3.5/ebuild.sh[ebuild.sh:18591] uid/euid:250/250 gid/egid:250/250 Nov 25 09:43:37 zaphod kernel: grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/python3.5[python3.5:18683] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python3.5/ebuild.sh[ebuild.sh:18591] uid/euid:250/250 gid/egid:250/250 I'm a bit at a loss how to tackle this, but it's not going away after two weeks, so here is the bug report.