Jun 29 20:03:45 devil kernel: grsec: denied RWX mprotect of /usr/lib/libmpg123.so.0.36.6 by /usr/bin/mplayer[mplayer:2058] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/smplayer[smplayer:2009] uid/euid:1000/1000 gid/egid:1000/1000 Portage 2.1.12.11 (default/linux/x86/13.0, gcc-4.6.3, glibc-2.15-r3, 3.2.42-hardened-r1 i686) ================================================================= System uname: Linux-3.2.42-hardened-r1-i686-Intel-R-_Celeron-R-_M_CPU_430_@_1.73GHz-with-gentoo-2.2 KiB Mem: 2060284 total, 199388 free KiB Swap: 2097148 total, 2059860 free Timestamp of tree: Sat, 29 Jun 2013 16:30:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.3-r3 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3, 1.11.6, 1.12.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium-m -g0" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium-m -g0" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FCFLAGS="-O2" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl acpi alsa apic bash-completion berkdb bzip2 cairo cli consolekit cracklib crypt custom-cflags custom-optimization cxx dbus dri dvd extras ffmpeg fortran gdbm gpm gtk gudev hwdb iconv jpeg jpeg2k kde kmod lame lm_sensors mad minizip mmx modules mp3 mudflap ncurses networkmanager nptl nsplugin opengl openmp openrc pam pax_kernel pcre pic png policykit qt3support qt4 readline semantic-desktop session sse sse2 ssl svg symlink tcpd theora threads tiff udev unicode vorbis x264 x86 xvid zlib" ABI_X86="32" ALSA_CARDS="hda-intel" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LINGUAS="en en_GB" OFFICE_IMPLEMENTATION="libreoffice" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" USERLAND="GNU" VIDEO_CARDS="intel" USE_PYTHON="2.7"
Disable mmx on libmpg123 see bug #164504 Retest with mmx of on libmpg123
(In reply to Magnus Granberg from comment #1) > Disable mmx on libmpg123 see bug #164504 > Retest with mmx of on libmpg123 Same result.
Which mplayer video output and video driver you are using? opengl apps do not work without pax marking with nouveau driver bug #383989 Why you are using pax enabled kernel with non hardened profile?! hardened-sources may kill any bin, which is not compiled by hardened toolchain. This is told in hardened handbook.
(In reply to Nikoli from comment #3) > Which mplayer video output and video driver you are using? opengl apps do > not work without pax marking with nouveau driver bug #383989 Intel > Why you are using pax enabled kernel with non hardened profile?! Why not? > hardened-sources may kill any bin, which is not compiled by hardened > toolchain. This is told in hardened handbook. Why hardened-sources should kill any bin? I don't guess so. For what are you saying grsecurity should be designed only for gentoo hardened... I see grsecurity enabled on the other distros which there isn't an hardened toolchain.
(In reply to Agostino Sarubbo from comment #2) > (In reply to Magnus Granberg from comment #1) > > Disable mmx on libmpg123 see bug #164504 > > Retest with mmx of on libmpg123 > > > Same result. post the output then; if libmpg123 still has textrels you should post in the relevant bug (In reply to Agostino Sarubbo from comment #4) > > hardened-sources may kill any bin, which is not compiled by hardened > > toolchain. This is told in hardened handbook. > > Why hardened-sources should kill any bin? > I don't guess so. For what are you saying grsecurity should be designed only > for gentoo hardened... I see grsecurity enabled on the other distros which > there isn't an hardened toolchain. it has nothing to do with hardened toolchain; you can very well build pic shared libs with a standard toolchain, and this is actually gentoo policy recommendations. some packages provide heavily optimised asm that is not pic and this is exactly what you are hitting. as gentoo, we decide to provide choice and by default we chose the best for everyone: the fastest code. if you want to disallow non pic libraries (which is what you are doing with your grsec kernel but do not seem to understand the implications) without hardened profile then you are basically on your own and should be able to disable/mask the offending useflags. those are supposed to be masked on hardened profile for this very preceise reason. *** This bug has been marked as a duplicate of bug 164504 ***
