Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 527682 - x11-libs/gtk+-2.24.25 USE=abi-x86_32 - .../work/gtk+-2.24.25-abi_x86_32.x86/gtk/.libs/gtk-query-immodules-2.0: error while loading shared libraries: failed to map segment from shared object: Operation not permitted
Summary: x11-libs/gtk+-2.24.25 USE=abi-x86_32 - .../work/gtk+-2.24.25-abi_x86_32.x86/g...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
Depends on:
Reported: 2014-11-01 04:57 UTC by Gangræna Gorgeous
Modified: 2017-03-30 03:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

build.log.tar.xz (build.log.tar.xz,24.70 KB, application/x-xz-compressed-tar)
2014-11-01 04:59 UTC, Gangræna Gorgeous
gtk+-3.12.2-r1.ebuild patch to apply gtk+-3.12.2-pax.patch (gtk+-3.12.2-pax-ebuild.patch,491 bytes, patch)
2014-11-29 03:33 UTC, Mark Wright
Details | Diff
patch to m gtk/.libs/gtk-query-immodules-3.0 (gtk+-3.12.2-pax.patch,2.06 KB, patch)
2014-11-29 03:34 UTC, Mark Wright
Details | Diff
files/gtk+-2.24.25-pax.patch (gtk+-2.24.25-pax.patch,1.08 KB, patch)
2015-02-22 00:36 UTC, Saul D Beniquez
Details | Diff
gtk+-2.24.25.ebuild.patch (gtk+-2.24.25.ebuild.patch,657 bytes, patch)
2015-02-22 00:37 UTC, Saul D Beniquez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gangræna Gorgeous 2014-11-01 04:57:25 UTC
Couldn't build x11-libs/gtk+-2.24.25[abi-x86_32] in hardened/multilib profile becouse of PAX error:

[29514.997150] grsec: denied RWX mmap of /usr/lib32/opengl/xorg-x11/lib/ by /var/tmp/portage/x11-libs/gtk+-2.24.25/work/gtk+-2.24.25-abi_x86_32.x86/gtk/.libs/gtk-query-immodules-2.0[gtk-query-immod:16420] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:16419] uid/euid:0/0 gid/egid:0/0

Reproducible: Always
Comment 1 Gangræna Gorgeous 2014-11-01 04:59:12 UTC
Created attachment 387924 [details]
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-02 17:55:21 UTC
Comment on attachment 387924 [details]

Why did you store a single file in a tar archive?
Comment 3 Gangræna Gorgeous 2014-11-02 18:39:35 UTC
> Why did you store a single file in a tar archive?

I couldn't upload uncompressed file because of its size.
Comment 4 Pacho Ramos gentoo-dev 2014-11-03 10:00:46 UTC
In the past, this bugs were being marked as duplicates of bug 240956 :/
Comment 5 Mark Wright gentoo-dev 2014-11-29 03:33:03 UTC
Created attachment 390518 [details, diff]
gtk+-3.12.2-r1.ebuild patch to apply gtk+-3.12.2-pax.patch
Comment 6 Mark Wright gentoo-dev 2014-11-29 03:34:28 UTC
Created attachment 390520 [details, diff]
patch to m gtk/.libs/gtk-query-immodules-3.0
Comment 7 Mark Wright gentoo-dev 2014-11-29 03:36:46 UTC
I reproduced a similar program with the nvidia OpenGL driver.  It would
be neat if you could please try the attached patch and let us know if it
fixes the build problem for you or not.
Comment 8 Pacho Ramos gentoo-dev 2014-11-29 09:45:53 UTC
Couldn't the pax marking be done directly in ebuild instead of needing to patch Makefiles (the issue with patching them is that this patches will likely be carried forever by us downstream and would need to be adapted in future version bumps. The patch is not hard but... :))
Comment 9 Alexander Tsoy 2014-11-29 12:53:00 UTC
(In reply to Mark Wright from comment #6)
> Created attachment 390520 [details, diff] [details, diff]

Hunk for install-data-hook is not necessary since DESTDIR is always not empty.

(In reply to Pacho Ramos from comment #8)

No-no-no! :) This would be too ugly:

src_compile() {
    emake -C gdk
    emake -C gtk/ gtk-query-immodules-${SLOT}.0
    pax-mark -m gtk/.libs/gtk-query-immodules-${SLOT}.0
Comment 10 Alexander Tsoy 2014-11-29 12:58:07 UTC
And can't we just unset DISPLAY env variable? I don't have nvidia hardware, so I can't test this.
Comment 11 Pacho Ramos gentoo-dev 2014-11-29 13:09:58 UTC
Personally I don't understand why DISPLAY is not unset always by PM :|

But we can of course unset it in ebuild... how does it behave when DISPLAY is unset? (I neither have a nvidia setup just now to test, my laptop is intel based :/)
Comment 12 Alexander Tsoy 2014-11-29 13:59:22 UTC
Also would be nice to test gtk+[-X,wayland], because DISPLAY env variable is likely affects only X11 backend. :(
Comment 13 Alexander Tsoy 2014-11-29 14:36:29 UTC
(In reply to Alexander Tsoy from comment #12)
Ah, sorry. Looks like nvidia blob with wayland support is not yet released.
Comment 14 Pacho Ramos gentoo-dev 2015-01-02 11:53:27 UTC
+*gtk+-3.12.2-r2 (02 Jan 2015)
+  02 Jan 2015; Pacho Ramos <>
+  +files/gtk+-3.12.2-builtin-icon.patch, +gtk+-3.12.2-r2.ebuild,
+  gtk+-3.14.6.ebuild:
+  Include image data in the builtin icon cache (#518352 by Leho Kraav, Rafał
+  Mużyło and more), newer gdbus-codegen needed (#500216 by Vladimir Dolzhenko),
+  unset DISPLAY to make tests work in more environments (#527682 by Gangræna
+  Gorgeous, Mark Wright and Alexander Tsoy).

Please try with this revision
Comment 15 Saul D Beniquez 2015-02-22 00:36:03 UTC
Created attachment 397168 [details, diff]
Comment 16 Saul D Beniquez 2015-02-22 00:36:59 UTC
I'm experiencing this annoying bug as well, probably due to the nVidia proprietary blob using RWX memory.

Since I need gtk-2 in order to use Steam, I wrote a very similar  patch for gtk-2.25.25, which I will attach to this post.

The patches have been tested on my own system running gentoo hardened w/ PaX and the nvidia proprietary blob driver, and they seem to fix the issue for me.
Comment 17 Saul D Beniquez 2015-02-22 00:37:45 UTC
Created attachment 397170 [details, diff]
Comment 18 Matt Turner gentoo-dev 2015-02-22 01:10:59 UTC
For Mesa, I think we need to disable the assembly for hardened. I'll start a thread with the hardened team.
Comment 19 Michael Palimaka (kensington) gentoo-dev 2016-01-18 18:36:29 UTC
Is there anything I can do to help here? I'm hitting this failure on a stable box.
Comment 20 Magnus Granberg gentoo-dev 2016-01-18 21:23:46 UTC
(In reply to Matt Turner from comment #18)
> For Mesa, I think we need to disable the assembly for hardened. I'll start a
> thread with the hardened team.

We allready disable most of the asm in Mesa for x86. The prob with Mesa/proprietary blob is that some of the drivers use RWX memory and that don't work well with PaX and mprotect and the code is in most time in the gl lib.
Comment 21 Matt Turner gentoo-dev 2017-03-30 03:57:21 UTC
Is this still a problem?