Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 244901 - [java-overlay]dev-java/icedtea6-1.3.1 fails with hardened profile
Summary: [java-overlay]dev-java/icedtea6-1.3.1 fails with hardened profile
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Andrew John Hughes
URL:
Whiteboard:
Keywords:
: 329263 (view as bug list)
Depends on:
Blocks: icedtea-tracker
  Show dependency tree
 
Reported: 2008-10-29 17:30 UTC by Thomas Sachau
Modified: 2010-08-23 22:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sachau gentoo-dev 2008-10-29 17:30:39 UTC
Pax/Grsec outpu:
log-2008-10-28-17:10:07:Oct 28 18:13:57 [kernel] PAX: execution attempt in: <anonymous mapping>, 2f95ff054000-2f95ff2c4000 2f95ff054000
log-2008-10-28-17:10:07:Oct 28 18:13:57 [kernel] PAX: terminating task: /var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir/linux_amd64_compiler2/product/gamma(gamma):15951, uid/euid: 250/250, PC: 00002f95ff054060, SP: 000077dc7bf16c28
log-2008-10-28-17:10:07:Oct 28 18:13:57 [kernel] PAX: bytes at PC: 85 f6 0f 84 11 00 00 00 0f ae f0 0f ae 3f 48 83 c7 20 ff ce 
log-2008-10-28-17:10:07:Oct 28 18:13:57 [kernel] PAX: bytes at SP-8: 
log-2008-10-28-17:10:07:Oct 28 18:13:57 [kernel] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir/linux_amd64_compiler2/product/gamma[gamma:15951] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir/linux_amd64_compiler2/product/test_gamma[test_gamma:15949] uid/euid:250/250 gid/egid:250/250

Is it possible to skip this test_gamma or is it possible to have "gamma" behave hardened-accepted?

emerge --info:
Portage 2.2_rc12 (hardened/amd64/multilib, gcc-4.2.4, glibc-2.8_p20080602-r0, 2.6.26-hardened-r4 x86_64)
=================================================================
System uname: Linux-2.6.26-hardened-r4-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-glibc2.4
Timestamp of tree: Wed, 29 Oct 2008 01:45:03 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7, 2.1.6-r1
dev-lang/python:     2.5.2-r8
dev-util/cmake:      2.6.2
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.3.0-r1
sys-apps/sandbox:    1.2.18.1-r3
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r4
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.26
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe"
DISTDIR="/usr/distfiles"
FEATURES="autoconfig collision-protect distlocks fixpackages metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo http://gentoo.osuosl.org/distfiles/"
LANG="de_DE.UTF-8@euro"
LC_ALL="de_DE.UTF-8@euro"
LDFLAGS=""
LINGUAS="de"
MAKEOPTS="-j5 --load-average=8"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/sunrise /usr/local/portage/layman/java-overlay /usr/local/portage/layman/toolchain-overlay /usr/local/portage/layman/enlightenment /usr/local/portage"
SYNC="cvs://tommy@cvs.gentoo.org:/var/cvsroot"
USE="3dnow X alsa amd64 berkdb cracklib crypt cups gpm hardened justify midi ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pic readline scanner sse sse2 ssl tcpd unicode urandom vorbis xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Thomas Sachau gentoo-dev 2008-10-29 17:31:59 UTC
last lines of build.log:

eam.o yieldingWorkgroup.o vectset.o  linux_amd64.o -Wl,-Bstatic -lstdc++ -Wl,-Bdynamic -lm -ldl -lpthread;       \
	                                        \
	    rm -f libjvm.so.1; ln -s libjvm.so libjvm.so.1;                                  \
	    if [ -x /usr/sbin/selinuxenabled ] ; then                   \
	      /usr/sbin/selinuxenabled;                                 \
              if [ $? = 0 ] ; then					\
		/usr/bin/chcon -t textrel_shlib_t libjvm.so;                   \
		if [ $? != 0 ]; then                                   \
		  echo "ERROR: Cannot chcon libjvm.so"; exit 1;                \
		fi							\
	      fi							\
	    fi                                                          \
	}
Linking vm...
{ \
	    echo Linking launcher...; \
	     \
	    gcc -m64 -Xlinker -O1 -m64 -export-dynamic  -L `pwd` -o gamma launcher.o -ljvm -lm -ldl -lpthread; \
	     \
        }
Linking launcher...
make[6]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir/linux_amd64_compiler2/product'
All done.
make[5]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir/linux_amd64_compiler2/product'
cd linux_amd64_compiler2/product && ./test_gamma
./test_gamma: line 10: 15951 Getötet                ./${gamma:-gamma} -Xbatch -showversion Queens < /dev/null
make[4]: *** [product] Fehler 137
make[4]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/build/linux-amd64/hotspot/outputdir'
make[3]: *** [generic_build2] Fehler 2
make[3]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/hotspot/make'
make[2]: *** [product] Fehler 2
make[2]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/hotspot/make'
make[1]: *** [hotspot-build] Fehler 2
make[1]: Leaving directory `/var/tmp/portage/dev-java/icedtea6-1.3.1/work/icedtea6-1.3.1/openjdk/control/make'
make: *** [stamps/icedtea.stamp] Fehler 2
Comment 2 Andrew John Hughes 2008-10-30 17:37:45 UTC
This needs to be filed with Sun - it's a bug in the OpenJDK build, not IcedTea or the ebuild.
Comment 3 Andrew John Hughes 2008-12-18 01:16:10 UTC
Skipping test_gamma should be ok.  By this stage, you will have already skipped it once during the bootstrap openjdk-ecj stage (this patches it out).
Comment 5 Dennis Schridde 2009-12-19 12:00:21 UTC
dev-java/icedtea6-1.3 is not anymore in the tree since a while, is the issue fixed in 1.6?
Comment 6 Thomas Sachau gentoo-dev 2009-12-19 16:12:15 UTC
(In reply to comment #5)
> dev-java/icedtea6-1.3 is not anymore in the tree since a while, is the issue
> fixed in 1.6?
> 

This is about icedtea6, not icedtea6-bin, it was and still is only in the java-overlay. And the issue still exists. Just have a look at the bug i opened with sun to see the current state.
Comment 7 Andrew John Hughes 2010-08-11 21:43:33 UTC
test_gamma is now disabled on hardened profiles with a patch for 1.7.4 and 1.8.1 in java-overlay.  Please try this and report back.
Comment 8 Thomas Sachau gentoo-dev 2010-08-13 16:13:50 UTC
(In reply to comment #7)
> test_gamma is now disabled on hardened profiles with a patch for 1.7.4 and
> 1.8.1 in java-overlay.  Please try this and report back.
> 

I tried an adjusted 6.1.8.1-r1 and it the patch allows me to build icedtea:6 without the need to disable pax features.
Comment 9 Andrew John Hughes 2010-08-15 17:21:04 UTC
What adjustments were needed?
Comment 10 Thomas Sachau gentoo-dev 2010-08-15 18:33:48 UTC
(In reply to comment #9)
> What adjustments were needed?
> 

I am crosscompiling 32bit libs on my amd64 arch with multilib-portage. Currently, it needs some adjustments in the icedtea ebuild to work for icedtea too.
Comment 11 Magnus Granberg gentoo-dev 2010-08-23 22:20:20 UTC
*** Bug 329263 has been marked as a duplicate of this bug. ***