Hi, Skype gets terminated by PaX on my Gentoo Hardened laptop. I can hardly believe this has not been reported as a bug before since I see this behaviour for a while now. But I could not find a bug report for this one plus it's not fixed yet so... ;) As described below skype gets terminated by PaX with execution attempt. The problem can be resolved/mitigated by setting PaX flags to remove mprotect() restrictions. Therefore I recommend adding an entry to /etc/conf.d/chpax: # default is: chpax -v /opt/skype/skype.bin ----[ chpax 0.7 : Current flags for /opt/skype/skype.bin (PeMRxS) ]---- [...] -> Skype crashes # disabling mprotect() ;-( chpax -m /opt/skype/skype.bin -> Skype works fine. Thanks for you great work with Gentoo Hardened! (even got it quite working on my Sparc box. *g*) Reproducible: Always Steps to Reproduce: 1. execute skype under a hardened (PaX, grsec) kernel Actual Results: -------------- shell --------------------- # skype Running artsd found ========================================== /usr/bin/skype: line 50: 15599 Killed ${skypecmd} ${progopts} >>${logfile} 2>>${logfile} --------- dmesg ------------------------------------------- PAX: execution attempt in: /opt/skype/skype.bin, 08048000-08685000 00000000 PAX: terminating task: /opt/skype/skype.bin(skype.bin):15599, uid/euid: 1001/1001, PC: 080645d0, SP: 5ea1db4c PAX: bytes at PC: ff 25 e0 37 68 08 68 38 0a 00 00 e9 70 eb ff ff ff 25 e4 37 PAX: bytes at SP: 22ef4a22 08784a28 22fde760 5ea1db98 22ef38d6 22fde760 00000101 08784a18 00000068 f27ad336 556bf7c8 556bf974 232b523b f27ad336 556bf974 556bbe68 23170a50 00000001 22fde760 5ea1dbf8 -------------------- Portage 2.0.51.22-r1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11-hardened-r15 i686) ================================================================= System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) M processor 1400MHz Gentoo Base System version 1.6.13 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.10 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium-m -O2 -pipe -fomit-frame-pointer -fstack-protector-all" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium-m -O2 -pipe -fomit-frame-pointer -fstack-protector-all" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LANG="de_DE" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j4" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aalib acpi alsa apache2 arts avi bash-completion berkdb bitmap-fonts bluetooth cdr crypt cups curl dga directfb divx4linux dlloader dvd dvdr eds esd ethereal evo fam fbcon flac freetype ftp gd gdbm gif gimpprint gnokii gphoto2 gpm gps gtk gtk2 gtkhtml hardened hbci icq imagemagick imap imlib irda java javascript jpeg kde ldap mad maildir mikmod mmx monkey motif moznocompose moznoirc moznomail mozp3p mozsvg mplayer mysql ncurses nls nptl nptlonly ntlm ogg opengl pam pcmcia perl pic png posix python qt radeon readline real rtc samba sdl slang sms sse sse2 ssl svga tcltk tcpd tiff truetype truetype-fonts type1-fonts usb userlocales vcd vorbis wifi win32codecs x86 xine xinerama xml xml2 xmms xv xvid zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS
Created attachment 64456 [details, diff] Relaxes mprotect() restrictions for PaX usage
net-im: the patch posted above adds a call to /sbin/chpax during installation of the binary to the 1.1.0.20-r1 ebuild, to relax PaX's mprotect() restrictions. Reassigning to package maintainer for action. We've avoided suggesting ebuild patches for packages that need PaX flag management, until someone bugs about it. This one is simple enough and is as ok as the java ebuilds for example, but in general adding calls to chpax/paxctl are not satisfactory for all users. For example the chpax method only works if the CONFIG_PAX_EI_PAX is enabled in the kernel. Work is ongoing on a more satisfactory way of managing PaX flags from within the hardened profile which will enable the hardened team to support this without having to badger package maintainers; once this reaches a satisfactory state ebuilds like this which just need permissions to be managed won't need any black magic.
For the record; recent versions of Skype are built with a compiler that support GNU_STACK; hardened users preferring paxctl over chpax can now set the 'm' flag for it with '/sbin/paxctl -cm /opt/skype/skype.bin'.
Fixed in 1.3 version