1) If pax_kernel is enabled, ebuild should check that CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is disabled and suggest enabling CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR instead. fglrx kernel module builds fine if PAX_KERNEXEC_PLUGIN_METHOD_BTS is enabled, but _silently_ (no error or message in dmesg) fails to load because it is not gpl compatible. modprobe fglrx will fail with this error: modprobe: ERROR: could not insert 'fglrx': Exec format error After googling i found https://forums.gentoo.org/viewtopic-t-922748-start-0.html 2) It is not possible to create xorg.conf with 'aticonfig --initial', because /opt/bin/aticonfig is not pax marked and is killed: aticonfig: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted dmesg: grsec: denied RWX mmap of /usr/lib64/opengl/ati/lib/libGL.so.1.2 by /opt/bin/aticonfig[aticonfig:3496] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2807] uid/euid:0/0 gid/egid:0/0 You can use skype ebuild as example. In future it could be better to start using xattr feature of filesystems instead of creating PT_PAX_FLAGS header and modifying file. 3) Something about bug #393177 could be done, like adding (with some updates) howto from comment 1
Also '/usr/bin/fgl_glxgears' needs pax marking.
Are you sure about this, I checked the code and there really is #ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR if (!license || !license_is_gpl_compatible(license)) return -ENOEXEC; #endif Perhaps CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is the option that should be disabled?
Sorry, it was typo. You are right.
Greetings, can you test ati-drivers-13.2-beta7 from x11 overlay. It refers to revdep-pax in postinst message that should solve most of the remaining problems - please note, if I am missing something.
I did not try beta ebuild yet, but i did try running commands from it. 1) Are sure that 'pax-mark Cm "${D}"/usr/lib*/opengl/ati/lib/libGL.so.1.2' works fine for you? Please check also output of paxctl -v and paxctl-ng -v: # paxctl -Cm /usr/lib*/opengl/ati/lib/libGL.so.1.2 file /usr/lib64/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program header, creation failed file /usr/lib/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program header, creation failed # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2 /usr/lib64/opengl/ati/lib/libGL.so.1.2: PT_PAX : not found XATTR_PAX: not found /usr/lib/opengl/ati/lib/libGL.so.1.2: PT_PAX : not found XATTR_PAX: not found 'paxctl-ng -m' works fine for me, but creates only xattr marking: # paxctl-ng -m /usr/lib*/opengl/ati/lib/libGL.so.1.2 # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2 /usr/lib64/opengl/ati/lib/libGL.so.1.2: PT_PAX : not found XATTR_PAX: -em-- /usr/lib/opengl/ati/lib/libGL.so.1.2: PT_PAX : not found XATTR_PAX: -em-- 2) Using 'revdep-pax -s libGL.so.1 -me' has 2 problems: 1) It does not create PT_PAX_FLAGS program header, for all bins in /opt/ it will use only xattr marking. You need to check in ebuild if kernel was compiled with CONFIG_PAX_XATTR_PAX_FLAGS=y. 2) After 'su' $PATH will not have /opt/bin, /opt/sbin and /usr/games/bin, revdep-pax will not mark aticonfig, amdcccle and most of bins from ati-drivers. Please add info about $PATH to postinst and pax-mark all linked to libGL.so.1 bins in src_install.
(In reply to comment #5) > I did not try beta ebuild yet, but i did try running commands from it. > 1) Are sure that 'pax-mark Cm "${D}"/usr/lib*/opengl/ati/lib/libGL.so.1.2' > works fine for you? Please check also output of paxctl -v and paxctl-ng -v: > # paxctl -Cm /usr/lib*/opengl/ati/lib/libGL.so.1.2 > file /usr/lib64/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS > program header, creation failed > file /usr/lib/opengl/ati/lib/libGL.so.1.2 cannot have a PT_PAX_FLAGS program > header, creation failed > # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2 > /usr/lib64/opengl/ati/lib/libGL.so.1.2: > PT_PAX : not found > XATTR_PAX: not found > > /usr/lib/opengl/ati/lib/libGL.so.1.2: > PT_PAX : not found > XATTR_PAX: not found > > 'paxctl-ng -m' works fine for me, but creates only xattr marking: > # paxctl-ng -m /usr/lib*/opengl/ati/lib/libGL.so.1.2 > # paxctl-ng -v /usr/lib*/opengl/ati/lib/libGL.so.1.2 > /usr/lib64/opengl/ati/lib/libGL.so.1.2: > PT_PAX : not found > XATTR_PAX: -em-- > > /usr/lib/opengl/ati/lib/libGL.so.1.2: > PT_PAX : not found > XATTR_PAX: -em-- > > > 2) Using 'revdep-pax -s libGL.so.1 -me' has 2 problems: > 1) It does not create PT_PAX_FLAGS program header, for all bins in /opt/ it > will use only xattr marking. You need to check in ebuild if kernel was > compiled with CONFIG_PAX_XATTR_PAX_FLAGS=y. > 2) After 'su' $PATH will not have /opt/bin, /opt/sbin and /usr/games/bin, > revdep-pax will not mark aticonfig, amdcccle and most of bins from > ati-drivers. Please add info about $PATH to postinst and pax-mark all linked > to libGL.so.1 bins in src_install. Looks like paxctl can't create a PT_PAX phdr and I designed paxctl-ng to NOT create the phdr. Consequently revdep-pax can't either. Looks like this will have to be marked via xattr only.
x11-drivers/ati-drivers has been removed, per bug 582406.