Currently the eclass intelligently looks for paxctl first, then failing that scanelf to set the PT_PAX flags. With both xattr and PT_PAX flags we need to think of a new logic because, if we move towards removing the PT_PAX phdr from our elfs, then we can have situations where the user's system can 1) support both xattrs (on all necessary filesystems) and PT_PAX markings 2) support only xattr 3) support only PT_PAX 4) support none in which case pax marking is not possible. (A pax enabled kernel will automatically enforce the defaults). The tools we have are: 1) paxctl-ng which can set both xattrs and PT_PAX 2) The plugin pypax.so which can set both xattrs and PT_PAX 3) setfattr/getfatt which can set only xattrs 4) paxctl which can set only PT_PAX 5) scanelf which can set only PT_PAX
Created attachment 329156 [details] Proposed update to pax-util.eclass This eclass depends on >=sys-apps/elfix-0.6.0 which I just added to the tree. To get backward compat working nicely I had to add another feature to paxctl-ng which allows one to set *only* PT_PAX flags or XT_PAX flags, respectively paxctl-ng -L and paxctl-ng -l. So it will be a while before those are stabilized. In the mean time, hardened@ can review it. After 30 days when elfix-0.6.0 (or better) is stabilized, I'll email gentoo-dev@ with this proposal.
Created attachment 331378 [details] oracle-jdk-bin-1.7.0.9-build.log java-vm_set-pax-markings failed!
(In reply to comment #2) > Created attachment 331378 [details] > oracle-jdk-bin-1.7.0.9-build.log > > java-vm_set-pax-markings failed! This is the wrong bug. Please read the bugs carefully and make sure your issue is related to the bug.
Comment on attachment 329156 [details] Proposed update to pax-util.eclass be nice to get a diff here i guess we'll need to update scanelf too ?
Created attachment 334076 [details] Update to the proposed eclass. This update addresses bug #447616 with >=sys-apps/elfix-0.8.0
Created attachment 334078 [details, diff] Diff of proposed pax-utils.eclass to current version on the tree. We do not need to touch scanelf. The logic goes something like this: 1) If we want to set PT_PAX, then a) first see if paxctl-ng exists and can do PT_PAX markings (paxctl-ng -L) b) if it doesn't exist/work, fall back on paxctl c) if paxctl doesn't exist fall back on scanelf 2) If we want to set XATTR_PAX then a) first see if paxctl-ng exists and can do XATTR_PAX markings (paxctl-ng -l) b) if it doesn't exist/work, fall back on setfattr If we exhaust possibilities, then ewarn. paxctl-ng is part of sys-fs/elfix. The git repo for the code and other goodies are at http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary
(In reply to comment #2) > Created attachment 331378 [details] > oracle-jdk-bin-1.7.0.9-build.log > > java-vm_set-pax-markings failed! @Alphat-PC, I'm very sorry! You're report is related, I confused your issue with something else. Can you please test with the latest proposed pax-util.eclass with >=sys-apps/elfix-0.8.0. I did at my end and it works on oracle-jdk-bin.
I had to update the eclass to address bug #445948. I will attach the new proposed eclass and a diff to the current. The rewrite is extensive so I'm not so sure the diff is useful.
Created attachment 338450 [details, diff] Proposed eclass.
Created attachment 338452 [details, diff] Diff of proposed pax-utils.eclass to current version on the tree.
Actually I realized as I updated that I can shorten my sanitize-flags() to something like for f in z P p E e M m R r S s ; do [[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}" done
Created attachment 338496 [details] Proposed eclass. Alphat-PC showed me an even better bashism that works.
Created attachment 338498 [details, diff] Diff of proposed pax-utils.eclass to current version on the tree.
pax-utils.eclass has been updated on the tree. Please open separate bug reports for any problems. (This bug was just abut getting it into the tree.)