Emerge of gnustep-gui is failing on hardened kernel(2.6.21) with pax enabled when trying to run make_services. Relevant info below Output of emerge: i686-pc-linux-gnu-gcc -rdynamic -fgnu-runtime -o GSspell.service/./GSspell \ ./shared_obj/GSspell.o -L/usr/lib -L../Source/./shared_obj -L../Model/./shared_obj -L/var/tmp/portage/gnustep-base/gnustep-gui-0.11.0/temp/Library/Libraries -L/usr/GNUstep/Local/Library/Libraries -L/usr/GNUstep/Network/Library/Libraries -L/usr/GNUstep/System/Library/Libraries -lgnustep-gui -laudiofile -laspell -lgif -lpng -ltiff -lz -ljpeg -lm -lgnustep-base -lpthread -lobjc -lm /usr/GNUstep/System/Library/Makefiles/mkinstalldirs GSspell.service/Resources (echo "{"; echo ' NOTE = "Automatically generated, do not edit!";'; \ echo " NSExecutable = \"GSspell\";"; \ cat GSspellInfo.plist; \ echo "}") >GSspell.service/Resources/Info-gnustep.plist ;\ if ././shared_obj/make_services --test GSspell.service/Resources/Info-gnustep.plist; then : ; else rm -f GSspell.service/Resources/Info-gnustep.plist; false; \ fi trampoline: cannot make memory executable /bin/sh: line 5: 19823 Avbruten (SIGABRT) ././shared_obj/make_services --test GSspell.service/Resources/Info-gnustep.plist make[2]: *** [GSspell.service/Resources/Info-gnustep.plist] Fel 1 make[1]: *** [GSspell.all.service.variables] Fel 2 make[1]: Leaving directory `/var/tmp/portage/gnustep-base/gnustep-gui-0.11.0/work/gnustep-gui-0.11.0/Tools' make: *** [internal-all] Fel 2 relevant part from dmesg: grsec: exec of /var/tmp/portage/gnustep-base/gnustep-gui-0.11.0/work/gnustep-gui-0.11.0/Tools/shared_obj/make_services (././shared_obj/make_services --test GSspell.service/Resources/Info-gnustep.plist ) by /bin/bash[sh:16457] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:16454] uid/euid:0/0 gid/egid:0/0 grsec: signal 6 sent to /var/tmp/portage/gnustep-base/gnustep-gui-0.11.0/work/gnustep-gui-0.11.0/Tools/shared_obj/make_services[make_services:16457] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:16454] uid/euid:0/0 gid/egid:0/0 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/gnustep-base/gnustep-gui-0.11.0/work/gnustep-gui-0.11.0/Tools/shared_obj/make_services[make_services:16457] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:16454] uid/euid:0/0 gid/egid:0/0
hmm - gnustep people, does gnustep-gui create its own tools for building/linking stuff? Is 'make_services' such a tool? PaX/gcc/binutils would normally take care of this automatically. Fredric - could you post your kernel configuration, please (at least the 'PAX' bits)? Also please attach the full build log: % emerge gnustep-gui 2>&1 > gnustep-gui.log
Created attachment 118331 [details] Kernel config My kernelconfig
Created attachment 118342 [details] Log from emerge gnustep-gui
Thanks Fredric. That confirms you do have trampoline emulation enabled ok; and it does look like gnustep has a home-built build tool that doesn't manage PT_GNUSTACK (maybe). It's not a quick thing to work on - gnustep needs objc which I've never bothered building, so I won't be able to work anything out quickly.
for as much as this is interesting information, gnustep uses mostly gnustep-make to build packages. This is a build-system that's mostly configure-less. Further, execution of binaries usually goes through a deamon thing.
AFAIK, the ffcall lib (which has trampoline things everywhere) uses parts of gcc code for it. So it may be neeeded to patch ffcall for hardened? A few things to test, Fredric if you may: re-merge gnustep-base with USE=gcc-libffi (which can be used instead of ffcall, but is not the recommended solution anymore), try ffcall from the gnustep overlay (more up-to-date, but I'm not sure if it changes any hardened problems). http://overlays.gentoo.org/proj/gnustep/wiki
Sorry for the delayed info. if gnustep-base is compiled with USE=gcc-libffi then compiling gnustep-gui works. When using ffcall it fails with the trampoline error, even with the ffcall from the overlay
Good to know. The bad news is that usually libffi does not work as well as ffcall in gnustep If you get a gnustep env working correctly though, we could force libffi on hardened (until we can see what changes could help in gnustep-base packages)
Bug #52505 had some infos on this (but not many). Seems libffi is the needed way on hardened, if it works at all: tests on amd64 with libffi resulted in every single gnustep application segfaulting
Can you test with gnustep-base-1.16.2? This new release now has working libffi on amd64, and SVN commits refered to hardened gcc too...
Using ffcall still fails in the same way. To your knowledge I dont use this anymore so Im a bit restricted in helping with this
I recompiled gcc with libffi flag and gnustep-base with gcc-libffi, but emerging gnustep-gui still fails with error: -o obj/NSGraphicsContext.o NSGraphicsContext.m: In function ‘GSCurrentContext’: NSGraphicsContext.m:93: warning: instance variable ‘_gcontext’ is @private; this will be a hard error in the future NSGraphicsContext.m: In function ‘+[NSGraphicsContext setCurrentContext:]’: NSGraphicsContext.m:162: error: instance variable ‘_gcontext’ is declared private NSGraphicsContext.m:162: error: instance variable ‘_gcontext’ is declared private make[2]: *** [obj/NSGraphicsContext.o] Błąd 1 make[1]: *** [libgnustep-gui.all.library.variables] Błąd 2 make[1]: Opuszczenie katalogu `/var/tmp/portage/gnustep-base/gnustep-gui-0.12.1/work/gnustep-gui-0.12.1/Source' make: *** [internal-all] Błąd 2
I struggled with this error also here: #236736
Is this still a problem in newer gnustep-gui-0.18.0?
It works for me with PAX/GRSec on and Hardened toolchain. And nothing in the log for trampolines. Making all for service GSspell... cd .; \ /usr/GNUstep/System/Library/Makefiles/mkinstalldirs ./obj/GSspell.obj/ /usr/GNUstep/System/Library/Makefiles/mkinstalldirs ./GSspell.service/. x86_64-pc-linux-gnu-gcc GSspell.m -c \ -MMD -MP -DGNUSTEP -DGNUSTEP_BASE_LIBRARY=1 -DGNU_GUI_LIBRARY=1 -DGNU_RUNTIME=1 -DGNUSTEP_BASE_LIBRARY=1 -D_REENTRANT -fPIC -Wall -DGSWARN -DGSDIAGNOSE -W$ -o obj/GSspell.obj/GSspell.m.o x86_64-pc-linux-gnu-gcc -rdynamic -Wl,-O1 -Wl,-rpath=/usr/GNUstep/System/Library/Libraries -Wl,-O1 -fgnu-runtime -o GSspell.service/./GSspell \ ./obj/GSspell.obj/GSspell.m.o -Wl,-O1 -Wl,-rpath=/usr/GNUstep/System/Library/Libraries -L/usr/lib64 -L../Source/./obj -L../Model/./obj -L/usr/GNUstep/System$ /usr/GNUstep/System/Library/Makefiles/mkinstalldirs GSspell.service/Resources (echo "{"; echo ' NOTE = "Automatically generated, do not edit!";'; \ echo " NSExecutable = \"GSspell\";"; \ if [ -r "GSspellInfo.plist" ]; then \ cat GSspellInfo.plist; \ fi; \ echo "}") >GSspell.service/Resources/Info-gnustep.plist ;\ if ././obj/make_services --test GSspell.service/Resources/Info-gnustep.plist; then : ; else rm -f GSspell.service/Resources/Info-gnustep.plist; false; \ fi make[1]: Leaving directory `/var/tmp/portage/gnustep-base/gnustep-gui-0.18.0/work/gnustep-gui-0.18.0/Tools' -------------- Portage 2.2_rc67 (hardened/linux/amd64/10.0, gcc-4.4.4, glibc-2.11.2-r0, 2.6.34-hardened-r1 x86_64) ================================================================= System uname: Linux-2.6.34-hardened-r1-x86_64-Intel-R-_Xeon-R-_CPU_E5420_@_2.50GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 25 Jul 2010 21:45:01 +0000 app-shells/bash: 4.1_p7 dev-lang/python: 2.6.5-r2 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 virtual/os-headers: 2.6.34 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core2" CHOST="x86_64-pc-linux-gnu"
Looks likes it is fixed on newer versions. Reopen if it still have the error.
