On kernels with both XT_PAX and PT_PAX enabled you need consistent flags set by eclass ie if you add to both 'm' it may be not enough as most binaries have in pt_pax 'e' by default For example plugin-container hangs firefox due to conflicting flags: # paxctl -v /usr/lib64/firefox/plugin-container PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: -----m-x-e-- [/usr/lib64/firefox/plugin-container] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled # getfattr -d /usr/lib64/firefox/plugin-container getfattr: Removing leading '/' from absolute path names # file: usr/lib64/firefox/plugin-container user.pax.flags="m" After # setfattr -n user.pax.flags -v "me" /usr/lib64/firefox/plugin-container firefox runs ok Reproducible: Always
This should be fixed soon. I have to update the pax-utils.eclass. In the mean time you can help test! Use the eclass at http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=e860d04b32bb301f447e385d3cb35129cff4e394;hb=38ad3d21b9fd281e326eff20ceb6de1ccb0ee1ef and let me know if that fixes it for you.
Yes I forgot to mention that, that's the one I use. I uninstalled paxctl-ng (because it's broken) so it uses setfattr, which seems to work ok, except for not setting 'e' flag which is in pt_pax.
(In reply to comment #2) > Yes I forgot to mention that, that's the one I use. > I uninstalled paxctl-ng (because it's broken) so it uses setfattr, which > seems to work ok, except for not setting 'e' flag which is in pt_pax. paxctl-ng is work in progress. Please let me what version you were using and how it was broken. setfattr will not set the default flags for you, like e. Hence the need for a tool like paxctl-ng.
(In reply to comment #3) > (In reply to comment #2) > > Yes I forgot to mention that, that's the one I use. > > I uninstalled paxctl-ng (because it's broken) so it uses setfattr, which > > seems to work ok, except for not setting 'e' flag which is in pt_pax. > > paxctl-ng is work in progress. Please let me what version you were using > and how it was broken. version 0.6.0 It was already reported in bug 446518 (it puts '-' in flags) > setfattr will not set the default flags for you, like e. Hence the need for > a tool like paxctl-ng. Won't it cause binaries not working when they are marked on systems without paxctl-ng? Maybe it can copy pt_pax flags if present?
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > Yes I forgot to mention that, that's the one I use. > > > I uninstalled paxctl-ng (because it's broken) so it uses setfattr, which > > > seems to work ok, except for not setting 'e' flag which is in pt_pax. > > > > paxctl-ng is work in progress. Please let me what version you were using > > and how it was broken. > > version 0.6.0 > It was already reported in bug 446518 (it puts '-' in flags) > > > setfattr will not set the default flags for you, like e. Hence the need for > > a tool like paxctl-ng. > > Won't it cause binaries not working when they are marked on systems without > paxctl-ng? Maybe it can copy pt_pax flags if present? The eclass now takes care of that. Its okay to allow the utility to have more flexibility than you want. We'll the portage take care of making sure we correctly set the flags we need when installing. I believe this is fixed in the latest version of the eclass.
Yes, it's fixed, thanks.
Thanks!