2.6.23-hardened-r6 fails to link. The build fails while linking .tmp_vmlinux1: fs/built-in.o:(.bss+0x1640): multiple definition of `pax_set_initial_flags_func' arch/x86_64/ia32/built-in.o:(.bss+0x10): first defined here fs/built-in.o: In function `__crc_pax_set_initial_flags_func': (*ABS*+0x259a843b): multiple definition of `__crc_pax_set_initial_flags_func' make: *** [.tmp_vmlinux1] Error 1 I dug through the source a bit and here's what I found: 1) On line 52 of fs/binfmt_elf.c: #ifdef CONFIG_PAX_HOOK_ACL_FLAGS void (*pax_set_initial_flags_func)(struct linux_binprm *bprm); EXPORT_SYMBOL(pax_set_initial_flags_func); #endif This exports pax_set_initial_flags_func if CONFIG_PAX_HOOK_ACL_FLAGS is enabled. 2) In arch/ia64/ia32/binfmt_elf32.c on line 56: #include "../../../fs/binfmt_elf.c" This causes the duplicate symbol if CONFIG_IA32_EMULATION is enabled. Reproducible: Always Steps to Reproduce: 1. Configure on arch x86_64. Enable CONFIG_IA32_EMULATION and CONFIG_PAX_HOOK_ACL_FLAGS. 2. make 3.
Please try adjusting the #ifdef statement to: #if defined(CONFIG_PAX_HOOK_ACL_FLAGS) && !((defined(ELF_CLASS) && ELF_CLASS == ELFCLASS32) || (defined(elf_format) && elf_format == elf32_format)) It seems to resolve the problem for x86_64 but I am unable to test ia64. What I'm looking for is twofold: 1) For the build failure to no longer occur (naturally) 2) For the pax_set_initial_flags_func symbol to be exported, both when IA32_EMULATION is enabled and disabled. You can check for the presence of the symbol in System.map after compilation. I'm looking to push a new release into the tree so I'd be grateful if you were to test this as at your earliest convenience.
Hmm, just realised that you're also a x86_64 user (I saw the reference to arch/ia64/ia32 which threw me). Nonetheless, a confirmation that it resolves the problem would be appreciated. I'll try to seek out someone with ia64 hardware as I've no idea if it works as planned in that case.
The fix worked on x86_64 both with and without ia32 emulation. Unfortunately I don't have any ia64 systems to test on, nor does crossdev want to build an ia64 toolchain for me tonight.
OK, that's good enough for me. Thank you for reporting back so quickly.
Fixed in 2.6.23-r8. I'm leaving the bug open though as I suspect it will be an issue in 2.6.24 also.
*** Bug 211847 has been marked as a duplicate of this bug. ***
1. why's -hardened setting PAX_HOOK_ACL_FLAGS? it's for RSBAC users, is that part of -hardened? 2. the better fix is to move the #ifdef out of binfmt_elf to exec.c, which is what my next patch will also do.
Re: Comment 7 1. No. The "Hardened [Gentoo]" security level selects PAX_HAVE_ACL_FLAGS. 2. Thanks. I reworked the patch accordingly for 2.6.23-r9. No need to keep this open anymore ... closing.
