Comment 1 Anthony Basile 2013-01-13 14:12:46 UTC

(In reply to comment #0)
> Created attachment 331412 [details]
> oracle-jdk-bin-1.7.0.9-build.log
> 
> 1. emerge sys-apps/elfix-0.6.0
> 2. override pax-utils.eclass with
> https://431092.bugs.gentoo.org/attachment.cgi?id=329156
> 3. set PAX_MARKINGS="XT PT"
> 4. emerge dev-java/oracle-jdk-bin-1.7.0.9, and then PT PaX marking -Cm fails.

This is fixed with elfix-0.8.1.  For more information, see

    http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml

    http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

I removed 0.6.0 so this won't be repeated.  Can you test and reopen this bug if it happens for either 0.7.0 (stable) or 0.8.1 (next candidate).

(In reply to comment #1)
> (In reply to comment #0)
> > Created attachment 331412 [details]
> > oracle-jdk-bin-1.7.0.9-build.log
> > 
> > 1. emerge sys-apps/elfix-0.6.0
> > 2. override pax-utils.eclass with
> > https://431092.bugs.gentoo.org/attachment.cgi?id=329156
> > 3. set PAX_MARKINGS="XT PT"
> > 4. emerge dev-java/oracle-jdk-bin-1.7.0.9, and then PT PaX marking -Cm fails.
> 
> This is fixed with elfix-0.8.1.  For more information, see
> 
>     http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml
> 
>     http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
> 
> I removed 0.6.0 so this won't be repeated.  Can you test and reopen this bug
> if it happens for either 0.7.0 (stable) or 0.8.1 (next candidate).


I’m very sorry I’m late.

dev-java/oracle-jdk-bin still fails to emerge with elfix-0.8.1 and hardened-development/eclass/pax-utils.eclass!

Created attachment 337732 [details]
oracle-jdk-bin-1.7.0.11-build.log

paxctl-ng -Cm binary
paxctl-ng -ze binary

doesn't work.(In reply to comment #1)
> (In reply to comment #0)
> > Created attachment 331412 [details]
> > oracle-jdk-bin-1.7.0.9-build.log
> > 
> > 1. emerge sys-apps/elfix-0.6.0
> > 2. override pax-utils.eclass with
> > https://431092.bugs.gentoo.org/attachment.cgi?id=329156
> > 3. set PAX_MARKINGS="XT PT"
> > 4. emerge dev-java/oracle-jdk-bin-1.7.0.9, and then PT PaX marking -Cm fails.
> 
> This is fixed with elfix-0.8.1.  For more information, see
> 
>     http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml
> 
>     http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
> 
> I removed 0.6.0 so this won't be repeated.  Can you test and reopen this bug
> if it happens for either 0.7.0 (stable) or 0.8.1 (next candidate).

paxctl-ng -Cm binary
paxctl-ng -ze binary

doesn't work.

Comment 5 Anthony Basile 2013-02-03 02:42:34 UTC

> paxctl-ng -Cm binary
> paxctl-ng -ze binary
> 
> doesn't work.

Correct, the flag combination Cm and ze are incorrect.  According to the help:


  paxctl-ng -PpEeMmRrSs|-Z|-z [-L|-l] [-v] ELF
                       ^  ^ 
                     these are or's

So either -e or -z but not both.

So the problem comes in java-vm_set-pax-markings() where we have:

   local pax_markings="C"
   local pax_markings+="m"
   use x86 && pax_markings+="sp"
   pax-mark ${pax_markings} $(list-paxables "${executables[@]}")

This should be changed to

   pax-mark C $(list-paxables "${executables[@]}")

   local pax_markings="m"
   use x86 && pax_markings+="sp"
   pax-mark ${pax_markings} $(list-paxables "${executables[@]}")

This will work for either paxctl-ng or paxctl in case the eclass has to fall back.

I see where the Cm combo is coming in but where is the ze encountered?

BTW, I'd recommend switching from C to c.  Does java need GNU_STACK to run correctly, or can it be converted ti a PAX_FLAGS?

(In reply to comment #5)
>    use x86 && pax_markings+="sp"

maybe i'm forgetting something here, but why does java need pageexec/segmexec (i.e., just the basic non-exec page stuff) off? if that were true, it should fail to run on vanilla as well on NX capable CPUs... now i do have memories that some very old (read: decade+) versions of the SUN JVM had some FPU init code in a .data (and hence non-executable) segment, but surely nothing like that would apply to modern versions?

> BTW, I'd recommend switching from C to c.  Does java need GNU_STACK to run
> correctly, or can it be converted ti a PAX_FLAGS?

nothing needs GNU_STACK under PaX (or anywhere else either IMHO ;), dependning on the app/problem, you either want MPROTECT off or EMUTRAMP on.

Comment 7 Ralph Sennhauser (RETIRED) 2013-02-03 07:21:44 UTC

The 'C' was added on request of the the hardened team. Can be changed again if desired.

Originally only 'm' was used. 'sp' was added to x86 for heap sizes over ~800Mb.

(In reply to comment #7)
> Originally only 'm' was used. 'sp' was added to x86 for heap sizes over
> ~800Mb.

why, what happens when the heap reaches 800MB? is there some bugreport on it? or a reproducible test?

Comment 9 Ralph Sennhauser (RETIRED) 2013-02-03 13:30:49 UTC

(In reply to comment #8)
> (In reply to comment #7)
> > Originally only 'm' was used. 'sp' was added to x86 for heap sizes over
> > ~800Mb.
> 
> why, what happens when the heap reaches 800MB? is there some bugreport on
> it? or a reproducible test?

bug 389751, there are more that I probably can dig up in our bugzilla if needed.

(In reply to comment #5)
> > paxctl-ng -Cm binary
> > paxctl-ng -ze binary
> > 
> > doesn't work.
> 
> Correct, the flag combination Cm and ze are incorrect.  According to the
> help:
> 
> 
>   paxctl-ng -PpEeMmRrSs|-Z|-z [-L|-l] [-v] ELF
>                        ^  ^ 
>                      these are or's
> 
> So either -e or -z but not both.
> 
> So the problem comes in java-vm_set-pax-markings() where we have:
> 
>    local pax_markings="C"
>    local pax_markings+="m"
>    use x86 && pax_markings+="sp"
>    pax-mark ${pax_markings} $(list-paxables "${executables[@]}")
> 
> This should be changed to
> 
>    pax-mark C $(list-paxables "${executables[@]}")
> 
>    local pax_markings="m"
>    use x86 && pax_markings+="sp"
>    pax-mark ${pax_markings} $(list-paxables "${executables[@]}")
> 
> This will work for either paxctl-ng or paxctl in case the eclass has to fall
> back.
> 
> I see where the Cm combo is coming in but where is the ze encountered?

find /usr/portage/ -type f | xargs grep -Hn --color 'pax-mark.*\(Cm\|ze\)'
/usr/portage/net-mail/notmuch/ChangeLog:222:  Combined pax-mark flags -z and -e into -ze, because pax-mark interpreted later
/usr/portage/net-mail/notmuch/notmuch-0.10.2-r3.ebuild:113:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.11.1-r3.ebuild:109:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.12.ebuild:102:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.13.1.ebuild:114:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.14-r1.ebuild:115:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.15.1.ebuild:135:	pax-mark -ze notmuch
/usr/portage/net-mail/notmuch/notmuch-0.15.ebuild:135:	pax-mark -ze notmuch
/usr/portage/net-im/skype/skype-2.2.0.35-r99.ebuild:110:		pax-mark Cm "${ED}"/opt/skype/skype || die
/usr/portage/net-im/skype/skype-4.0.0.8-r1.ebuild:86:		pax-mark Cm "${ED}"/opt/bin/${PN} || die
/usr/portage/net-im/skype/skype-4.1.0.20.ebuild:68:		pax-mark Cm "${ED}"/opt/bin/${PN} || die
/usr/portage/media-gfx/darktable/darktable-1.1.2-r1.ebuild:95:		pax-mark Cm "${ED}"/usr/bin/${PN} || die
/usr/portage/media-gfx/darktable/darktable-1.1.2.ebuild:95:		pax-mark Cm "${ED}"/usr/bin/${PN} || die
/usr/portage/media-gfx/darktable/darktable-9999.ebuild:95:		pax-mark Cm "${ED}"/usr/bin/${PN} || die

Comment 11 Anthony Basile 2013-02-03 22:47:28 UTC

(In reply to comment #10)
> (In reply to comment #5)
> > > paxctl-ng -Cm binary
> > > paxctl-ng -ze binary
> > > 
> > > doesn't work.
> > 
> > Correct, the flag combination Cm and ze are incorrect.  According to the
> > help:
> > 
> > 
> >   paxctl-ng -PpEeMmRrSs|-Z|-z [-L|-l] [-v] ELF
> >                        ^  ^ 
> >                      these are or's
> > 
> > So either -e or -z but not both.
> > 
> > So the problem comes in java-vm_set-pax-markings() where we have:
> > 
> >    local pax_markings="C"
> >    local pax_markings+="m"
> >    use x86 && pax_markings+="sp"
> >    pax-mark ${pax_markings} $(list-paxables "${executables[@]}")
> > 
> > This should be changed to
> > 
> >    pax-mark C $(list-paxables "${executables[@]}")
> > 
> >    local pax_markings="m"
> >    use x86 && pax_markings+="sp"
> >    pax-mark ${pax_markings} $(list-paxables "${executables[@]}")
> > 
> > This will work for either paxctl-ng or paxctl in case the eclass has to fall
> > back.
> > 
> > I see where the Cm combo is coming in but where is the ze encountered?
> 
> find /usr/portage/ -type f | xargs grep -Hn --color 'pax-mark.*\(Cm\|ze\)'
> /usr/portage/net-mail/notmuch/ChangeLog:222:  Combined pax-mark flags -z and
> -e into -ze, because pax-mark interpreted later
> /usr/portage/net-mail/notmuch/notmuch-0.10.2-r3.ebuild:113:	pax-mark -ze
> notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.11.1-r3.ebuild:109:	pax-mark -ze
> notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.12.ebuild:102:	pax-mark -ze notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.13.1.ebuild:114:	pax-mark -ze notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.14-r1.ebuild:115:	pax-mark -ze
> notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.15.1.ebuild:135:	pax-mark -ze notmuch
> /usr/portage/net-mail/notmuch/notmuch-0.15.ebuild:135:	pax-mark -ze notmuch
> /usr/portage/net-im/skype/skype-2.2.0.35-r99.ebuild:110:		pax-mark Cm
> "${ED}"/opt/skype/skype || die
> /usr/portage/net-im/skype/skype-4.0.0.8-r1.ebuild:86:		pax-mark Cm
> "${ED}"/opt/bin/${PN} || die
> /usr/portage/net-im/skype/skype-4.1.0.20.ebuild:68:		pax-mark Cm
> "${ED}"/opt/bin/${PN} || die
> /usr/portage/media-gfx/darktable/darktable-1.1.2-r1.ebuild:95:		pax-mark Cm
> "${ED}"/usr/bin/${PN} || die
> /usr/portage/media-gfx/darktable/darktable-1.1.2.ebuild:95:		pax-mark Cm
> "${ED}"/usr/bin/${PN} || die
> /usr/portage/media-gfx/darktable/darktable-9999.ebuild:95:		pax-mark Cm
> "${ED}"/usr/bin/${PN} || die


Can you find all combinations of flags given to pax-mark and see which break against paxctl-ng.  I can either fix this in the eclass or I can fix it in paxctl-ng.  If its just Cm and ze I'll just do the eclass fix.

Created attachment 337882 [details]
'pax-mark \(Cm\|cm\|-ze\|-PemRxS\)'

> Can you find all combinations of flags given to pax-mark and see which break
> against paxctl-ng.  I can either fix this in the eclass or I can fix it in
> paxctl-ng.  If its just Cm and ze I'll just do the eclass fix.

pax-mark Cm
pax-mark cm
pax-mark -ze
pax-mark -PemRxS (obsolete flag 'x')

That's all combinations of flags which may break against paxctl-ng.

Comment 13 Anthony Basile 2013-02-05 02:42:20 UTC

(In reply to comment #12)
> Created attachment 337882 [details]
> 'pax-mark \(Cm\|cm\|-ze\|-PemRxS\)'
> 
> > Can you find all combinations of flags given to pax-mark and see which break
> > against paxctl-ng.  I can either fix this in the eclass or I can fix it in
> > paxctl-ng.  If its just Cm and ze I'll just do the eclass fix.
> 
> pax-mark Cm
> pax-mark cm
> pax-mark -ze
> pax-mark -PemRxS (obsolete flag 'x')
> 
> That's all combinations of flags which may break against paxctl-ng.

Yeah I got this too.  The issue really is just the C, c and z flags combo.  This is easily fixed in the ebuild.  I'll have another go at the eclass tomorrow.  Thanks for pointing this out.

Comment 14 Ralph Sennhauser (RETIRED) 2013-02-05 05:28:11 UTC

(In reply to comment #13)
> (In reply to comment #12)
> > Created attachment 337882 [details]
> > 'pax-mark \(Cm\|cm\|-ze\|-PemRxS\)'
> > 
> > > Can you find all combinations of flags given to pax-mark and see which break
> > > against paxctl-ng.  I can either fix this in the eclass or I can fix it in
> > > paxctl-ng.  If its just Cm and ze I'll just do the eclass fix.
> > 
> > pax-mark Cm
> > pax-mark cm
> > pax-mark -ze
> > pax-mark -PemRxS (obsolete flag 'x')
> > 
> > That's all combinations of flags which may break against paxctl-ng.
> 
> Yeah I got this too.  The issue really is just the C, c and z flags combo. 
> This is easily fixed in the ebuild.  I'll have another go at the eclass
> tomorrow.  Thanks for pointing this out.

May I add, as a user of pax-mark, all I want is to specify the flags only, which type of markings(ea,pt,xt) and how they are applied shouldn't be my concern. So C should have never been required. The pax-utils.eclass should know how to handle the that.

Comment 15 Anthony Basile 2013-02-05 15:03:13 UTC

(In reply to comment #14)
> (In reply to comment #13)
> > (In reply to comment #12)
> > > Created attachment 337882 [details]
> > > 'pax-mark \(Cm\|cm\|-ze\|-PemRxS\)'
> > > 
> > > > Can you find all combinations of flags given to pax-mark and see which break
> > > > against paxctl-ng.  I can either fix this in the eclass or I can fix it in
> > > > paxctl-ng.  If its just Cm and ze I'll just do the eclass fix.
> > > 
> > > pax-mark Cm
> > > pax-mark cm
> > > pax-mark -ze
> > > pax-mark -PemRxS (obsolete flag 'x')
> > > 
> > > That's all combinations of flags which may break against paxctl-ng.
> > 
> > Yeah I got this too.  The issue really is just the C, c and z flags combo. 
> > This is easily fixed in the ebuild.  I'll have another go at the eclass
> > tomorrow.  Thanks for pointing this out.
> 
> May I add, as a user of pax-mark, all I want is to specify the flags only,
> which type of markings(ea,pt,xt) and how they are applied shouldn't be my
> concern. So C should have never been required. The pax-utils.eclass should
> know how to handle the that.


Agreed on the C.  It is useless for XATTR_PAX markings and potentially dangerous for PT_PAX.  I'm thinking of how to implement this as cleanly as possible in the eclass.

(In reply to comment #15)
> Agreed on the C.  It is useless for XATTR_PAX markings and potentially
> dangerous for PT_PAX.  I'm thinking of how to implement this as cleanly as
> possible in the eclass.

why don't you just add -cC automatically to the paxctl cmdline? it'll do the right thing, that is, progressively try methods to establish PT_PAX_FLAGS.

(In reply to comment #9)
> (In reply to comment #8)
> > why, what happens when the heap reaches 800MB? is there some bugreport on
> > it? or a reproducible test?
> 
> bug 389751, there are more that I probably can dig up in our bugzilla if
> needed.

so it's a problem if running out of the userland address space, and i'm afraid disabling SEGMEXEC and PAGEEXEC won't solve anything there. sure, SEGMEXEC halves the address space so you can get back some of it by disabling it, but PAGEEXEC runs with the normal linux address space size and disabling it won't change anything. not to mention that you can of course try to run with a big enough heap that won't fit the normal address space (3GB) either, then what? disable the kernel? ;)

in any case, this has nothing to do with security and therefore paxctl -sp should not be done in the ebuild. instead warn users about the fact that SEGMEXEC halves the address space (something they should know already as it's documented) and that even without it there're limits to it so they should run a 64 bit version of java if they have such requirements for the java heap.

Comment 18 Ralph Sennhauser (RETIRED) 2013-02-05 17:05:48 UTC

(In reply to comment #17)
> (In reply to comment #9)
> > (In reply to comment #8)
> > > why, what happens when the heap reaches 800MB? is there some bugreport on
> > > it? or a reproducible test?
> > 
> > bug 389751, there are more that I probably can dig up in our bugzilla if
> > needed.
> 
> so it's a problem if running out of the userland address space, and i'm
> afraid disabling SEGMEXEC and PAGEEXEC won't solve anything there. sure,
> SEGMEXEC halves the address space so you can get back some of it by
> disabling it, but PAGEEXEC runs with the normal linux address space size and
> disabling it won't change anything. not to mention that you can of course
> try to run with a big enough heap that won't fit the normal address space
> (3GB) either, then what? disable the kernel? ;)
> 

The point being, twice as much is about the limit for jvm heap size on x86, with or without pax.

> in any case, this has nothing to do with security and therefore paxctl -sp
> should not be done in the ebuild.

Here you lost me, we disable security features because they cause bugs / make a working system impossible.

> instead warn users about the fact that
> SEGMEXEC halves the address space (something they should know already as
> it's documented) and that even without it there're limits to it so they
> should run a 64 bit version of java if they have such requirements for the
> java heap.

Icedtea not being able to build itself is obviously not an option and so disabling SEGMEXEC stays. ;)

Disabling PAGEEXEC was suggested a few times in different bugs as I recall and  finally signed off by zorry in #gentoo-hardened. If it shouldn't be required, it of course can be dropped.

Note: for testing, the icedtea build files need to be patched or the results will be screwed.

Note 2: the regular bug reports of x86 hardened users for different jvms stopped when 'sp' was added.

(In reply to comment #18)
> The point being, twice as much is about the limit for jvm heap size on x86,
> with or without pax.

so why do you disable PaX features then if PaX per se has nothing to do with the problem? ;)

> > in any case, this has nothing to do with security and therefore paxctl -sp
> > should not be done in the ebuild.
> 
> Here you lost me, we disable security features because they cause bugs /
> make a working system impossible.

ok, let me try it from another angle ;). in case you're not aware, on i386 kernels the userland/kernel address space split can be configured, userland can be 1/2/3GB (and some variations of them) in size. as you can guess, choosing anything but the default 3GB would result in the exact same symptoms for the java heap size problem as with SEGMEXEC. 

yet you're not forbidding these kernel options nor do you provide a runtime workaround (there isn't one). i call that an inconsistency in your argument and ask again why you disable SEGMEXEC when the problem is not its existence but the collision between user requirements and reality?

the solution for that is not blindly disabling SEGMEXEC for *everyone* (i.e., even those not running into this problem), but educating the users to choose their poison^Wkernel features carefully.

> Icedtea not being able to build itself is obviously not an option and so
> disabling SEGMEXEC stays. ;)

then disable SEGMEXEC for *building* icedtea only, not for everyone permanently. and also tell me how you handle the other CONFIG_VMSPLIT_* options 'cos now i'm really curious ;). if the answer is 'we do not' then please apply that to SEGMEXEC as well.

> Disabling PAGEEXEC was suggested a few times in different bugs as I recall
> and  finally signed off by zorry in #gentoo-hardened. If it shouldn't be
> required, it of course can be dropped.

care to show me where this happened? the only reason i'd disable PAGEEXEC is if i had a (now) really old CPU without NX support where the old PAGEEXEC method is less efficient than SEGMEXEC.

> Note 2: the regular bug reports of x86 hardened users for different jvms
> stopped when 'sp' was added.

i can produce bug reports with sufficiently big heap sizes (and i didn't even mention that ASLR can cause it randomly too) even with SEGMEXEC/PAGEEXEC disabled. what will you do about CONFIG_VMSPLIT_* again? ;)

Comment 20 Ralph Sennhauser (RETIRED) 2013-02-05 19:57:08 UTC

(In reply to comment #19)
> (In reply to comment #18)
> > The point being, twice as much is about the limit for jvm heap size on x86,
> > with or without pax.
> 
> so why do you disable PaX features then if PaX per se has nothing to do with
> the problem? ;)

Don't twist the words in my mouth, you know what I mean.

> > so why do you disable PaX features then if PaX per se has nothing to do with
> > the problem? ;)
> 
> Don't twist the words in my mouth, you know what I mean.

http://en.wikipedia.org/wiki/Emoticon

now how about responding to the real issues i raised?

Comment 22 Ralph Sennhauser (RETIRED) 2013-02-07 15:33:13 UTC

(In reply to comment #21)
> now how about responding to the real issues i raised?

'm' isn't needed either, a user can just use the interpreter mode. Seriously you get as much security by default as doesn't hurt. The markings are properly logged and a user has the tools to change what he isn't happy about and we can close resulting bugs as WONTFIX.

(In reply to comment #19)
> (In reply to comment #18)
> > Icedtea not being able to build itself is obviously not an option and so
> > disabling SEGMEXEC stays. ;)
> 
> then disable SEGMEXEC for *building* icedtea only, not for everyone
> permanently. and also tell me how you handle the other CONFIG_VMSPLIT_*
> options 'cos now i'm really curious ;). if the answer is 'we do not' then
> please apply that to SEGMEXEC as well.

It's not the only package that needs such a heap size to be built.

Comment 23 Anthony Basile 2013-02-10 01:38:39 UTC

(In reply to comment #14)

> May I add, as a user of pax-mark, all I want is to specify the flags only,
> which type of markings(ea,pt,xt) and how they are applied shouldn't be my
> concern. So C should have never been required. The pax-utils.eclass should
> know how to handle the that.

I've improved the logic in the pax-utils.eclass.  I've added a function which sanitizes the flags.  It only permits the flags themselves and -z to fall back on the default.

Also, since -C -c is still a reality with is, when performing PT_PAX markings, paxctl is attempted before other utilities and progressively tries to first just do them markings, then -c and do the markings and finally -C and do the markings.

@Alphat-PC and other, can you please test the hardened-dev overlay eclass at

http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=fdc7769e014e3e4de8ebd0ae8896a1a83dc47c03;hb=3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b

(In reply to comment #23)
> (In reply to comment #14)
> 
> > May I add, as a user of pax-mark, all I want is to specify the flags only,
> > which type of markings(ea,pt,xt) and how they are applied shouldn't be my
> > concern. So C should have never been required. The pax-utils.eclass should
> > know how to handle the that.
> 
> I've improved the logic in the pax-utils.eclass.  I've added a function
> which sanitizes the flags.  It only permits the flags themselves and -z to
> fall back on the default.
> 
> Also, since -C -c is still a reality with is, when performing PT_PAX
> markings, paxctl is attempted before other utilities and progressively tries
> to first just do them markings, then -c and do the markings and finally -C
> and do the markings.
> 
> @Alphat-PC and other, can you please test the hardened-dev overlay eclass at
> 
> http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;
> f=eclass/pax-utils.eclass;h=fdc7769e014e3e4de8ebd0ae8896a1a83dc47c03;
> hb=3a2cbaec20cf614ec0dfbf7a6c0d3cedff412b5b

A bashisms version:

--- pax-utils.eclass.orig	2013-02-10 02:17:21.651505480 +0000
+++ pax-utils.eclass	2013-02-10 06:50:25.582657018 +0000
@@ -64,13 +64,8 @@ PAX_MARKINGS=${PAX_MARKINGS:="PT XT"}
 # 3. z is allowed for the default
 #
 sanitize-flags() {
-	local flags=$1
-	local clean=""
-
-	for f in z P p E e M m R r S s; do
-		[[ "${flags}" != "${flags/${f}/}" ]] && clean="${clean}${f}"
-	done
-	echo "$clean"
+#	echo "${1//[^zPpEeMmRrSs]}"
+	echo "${1//[!zPpEeMmRrSs]}"
 }
 
 pax-mark() {
@@ -81,7 +76,7 @@ pax-mark() {
 	local xt_fail=0 xt_failures=""	# record xattr PAX marking failures
 	local ret=0			# overal return code of this function
 
-	flags="$(sanitize-flags $1)"
+	flags="${1//[!zPpEeMmRrSs]}"
 	shift
 
 	if has PT ${PAX_MARKINGS}; then

Created attachment 338476 [details, diff]
pax-utils.eclass.diff

Created attachment 338480 [details, diff]
pax-utils.eclass.diff

Comment 27 Anthony Basile 2013-02-10 11:49:53 UTC

(In reply to comment #26)
> Created attachment 338480 [details, diff] [details, diff]
> pax-utils.eclass.diff

Thanks Alphat-PC.  I committed this.  The original problem in this bug, that eclass/java-vm-2.eclass should not use Cm flag combination has been fixed with our changes to pax-utils.eclass.  So, I'm going to close this bug and lets post changes to the parent bug #431092.