[288680.068215] PAX: From 31.135.xx.xx: execution attempt in: <anonymous mapping>, 325515a6000-32557178000 325515a6000 [288680.068218] PAX: terminating task: /usr/bin/zpaq(zpaq):40061, uid/euid: 0/0, PC: 00000325515a6000, SP: 000003255815dbc8 [288680.068221] PAX: bytes at PC: e9 05 00 00 00 e9 e2 00 00 00 53 55 56 57 48 8b b7 50 08 00 [288680.068228] PAX: bytes at SP-8: 000003255815dda0 0000032559107a8e 0000000000f42400 b12163efac005e3f 0000000000001000 0000 0058013c64bb 000003255815dcd0 000003255815dd90 0000000000f42400 0000032559107ec6 0000000000001000 (gdb) bt #0 0x00000325515a6000 in ?? () #1 0x0000032559107a8e in libzpaq::Encoder::compress(int) () from /usr/lib64/libzpaq.so.2 #2 0x0000032559107ec6 in libzpaq::Compressor::postProcess(char const*, int) () from /usr/lib64/libzpaq.so.2 #3 0x00000058013b4703 in compress (job=...) at /var/tmp/portage/app-arch/zpaq-4.04/work/zpaq.cpp:789 #4 0x00000058013b511a in thread (arg=0x58041eed20) at /var/tmp/portage/app-arch/zpaq-4.04/work/zpaq.cpp:900 #5 0x000003255878ec5c in start_thread (arg=0x32558179700) at pthread_create.c:301 #6 0x00000325584d59cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
# emerge --info FEATURES variable contains unknown value(s): Xkeepwork, Xprofile, Xtest, profile-use Portage 2.2.0_alpha100 (hardened/linux/amd64, gcc-4.5.3, glibc-2.13-r4, 3.3.1-hardened x86_64) ================================================================= System uname: Linux-3.3.1-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_930_@_2.80GHz-with-gentoo-2.0.3 Timestamp of tree: Tue, 10 Apr 2012 21:00:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo Installed sets: ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O0 -g -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O0 -g -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --quiet-build=n" FEATURES="Xkeepwork Xprofile Xtest assume-digests binpkg-logs ccache collision-protect distlocks ebuild-locks fail-clean fixlafiles news parallel-fetch preserve-libs profile-use protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="" GENTOO_MIRRORS="http://gentoo.mneisen.org/" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="pl en" MAKEOPTS="-j2 -l2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acpi amd64 apache2 bash-completion caps hardened idn iproute2 ipv6 mmap mmx mmxext modules multilib nls openmp openssl smp sse sse2 sse3 sse4 sse4a ssse3 syslog threads threadsafe unicode urandom vhosts vim-syntax xtpax" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon auth_digest authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user cache cgid dav dav_fs dav_lock dir env expires ext_filter filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" KERNEL="linux" LINGUAS="pl en" NGINX_MODULES_HTTP="access browser charset gzip map limit_zone proxy rewrite stub_status" PHP_TARGETS="php5-3" USERLAND="GNU" XTABLES_ADDONS="geoip ipset6 psd sysrq tarpit" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
I'll probably just add USE=jit for it.
Ok, libzpaq now has USE=jit. I dunno how to handle Hardened issues, I guess either package has to get some special powers or they could just mask libzpaq[jit] in Hardened profile.
Marcin did it work with the jit flag of?
Yes, zpaq (libzpaq) with "-jit" works on hardened system.
Could someone retry with the current 7.* version, and see if pax-marking helps?
(In reply to Michał Górny from comment #6) > Could someone retry with the current 7.* version, and see if pax-marking > helps? Yes, someone can retry;) It works almost good. On hardened kernel, using lipzpaq[-jit] it looks that works correctly: (readding the same file): $ zpaq add test /usr/portage/distfiles/mysql-5.6.30.tar.gz zpaq v7.04 journaling archiver, compiled May 24 2016 test.zpaq: 4 versions, 1 files, 484 fragments, 30.829637 MB Adding 0.000000 MB in 0 files -method 14 -threads 4 at 2016-05-24 10:28:13. 0 +added, 0 -removed. 30.829637 + (0.000000 -> 0.000000 -> 0.000104) = 30.829741 MB 0.035 seconds (all OK) When libzpaq is compiled with USE=jit then I'm getting: $ zpaq add test /usr/portage/distfiles/mysql-5.6.30.tar.gz zpaq v7.04 journaling archiver, compiled May 24 2016 test.zpaq: Skipping block at 30827124: allocx failed 5 versions, 0 files, 484 fragments, 30.829741 MB Adding 32.223818 MB in 1 files -method 14 -threads 4 at 2016-05-24 10:31:29. 100.00% 0:00:00 + /usr/portage/distfiles/mysql-5.6.30.tar.gz 32223818 -> 0 1 +added, 0 -removed. 30.829741 + (32.223818 -> 0.000000 -> 0.002513) = 30.832254 MB 0.871 seconds (with errors) and kernel throws: 2016-05-24T12:31:29.852459+02:00 jowisz kernel: [432572.787418] grsec: From 194.zz.xx.yy: denied RWX mmap of <anonymous mapping> by /usr/bin/zpaq[zpaq:19569] uid/euid:1000/1000 gid/egid:1000/1000, parent /b in/bash[bash:14229] uid/euid:1000/1000 gid/egid:1000/1000
Could you try to play a bit with PaX flags to see which ones make jit work?
With "-m disable MPROTECT" on /usr/bin/zpaq zpaq works with app-arch/libzpaq[jit]
commit 2c9e3ae1f1afaf8eefb25ed43ba4a077eab3d92f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Sun Jul 3 15:27:43 2016 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Sun Jul 3 15:29:24 2016 app-arch/zpaq: Fix Hardened w/ USE=jit, #411521 Should be fixed now (in 7.13-r1).
Thank you.
