7.2.5.5 doesn't work with net-p2p/i2p-0.9.18: kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /opt/icedtea-bin-7.2.5.5/bin/java[java:16320] uid/euid:113/113 gid/egid:105/105, parent /usr/bin/wrapper[i2psvc:16316] uid/euid:113/113 gid/egid:105/105 7.2.5.5 have this paxmarking: /opt/icedtea-bin-7.2.5.5/bin/java: PT_PAX : -em-- XATTR_PAX : not found 7.2.5.3 works ok and have this paxmarking: /opt/icedtea-bin-7.2.5.3/bin/java: open(O_RDWR) failed: cannot change PT_PAX flags PT_PAX : -em-- XATTR_PAX : -em-- So, looks like 7.2.5.5 set correct paxmark but using outdated way which doesn't support xattrs. Portage 2.2.18 (python 3.3.5-final-0, hardened/linux/amd64, gcc-4.8.4, glibc-2.20-r2, 3.18.9-hardened x86_64) ================================================================= System uname: Linux-3.18.9-hardened-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 8133584 total, 5029612 free KiB Swap: 8388604 total, 8388604 free Timestamp of repository gentoo: Sun, 14 Jun 2015 11:15:01 +0000 sh bash 4.3_p33-r2 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.3_p33-r2::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.20.2-r1::gentoo dev-lang/python: 2.7.9-r1::gentoo, 3.3.5-r1::gentoo dev-util/cmake: 3.2.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.16.4::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.13.4::gentoo, 1.14.1::gentoo sys-devel/binutils: 2.24-r3::gentoo sys-devel/gcc: 4.8.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers) sys-libs/glibc: 2.20-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync3.ua.gentoo.org/gentoo-portage priority: -1000 powerman location: /var/lib/layman/powerman masters: gentoo priority: 0 gamerlay location: /var/lib/layman/gamerlay masters: gentoo priority: 1 local location: /usr/local/portage masters: gentoo priority: 2 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/lib/ConsoleKit/scripts /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/log /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://tux.rainside.sk/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.inode.at/" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acpi adns aes alac alsa amd64 avx bash-completion berkdb branding bzip2 cairo caps cdda cddb cdr cli consolekit cracklib crypt cups cxx dbus dri drm dts dvb dvd dvdr encode exif fam firefox flac fontconfig gallium gdbm gif glamor gnutls gpg gtk hardened iconv icu id3tag idn ipv6 jpeg jpeg2k justify lcms libnotify mac mad matroska mbox mmx mmxext mng modules mp3 mp4 mpeg multilib musepack ncurses network-cron nls nptl nsplugin ogg opengl openmp openvg pam pango pax_kernel pcre pdf perl pie png policykit popcnt ppds qt3support qt4 readline sdl session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssp ssse3 startup-notification svg tcpd theora tiff truetype udev udisks unicode upower urandom usb vdpau vim-syntax vorbis wavpack wxwidgets x264 xattr xcb xml xosd xtpax xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en ru ru_RU" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XFCE_PLUGINS="clock trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
That's strange because that part of the ebuild hasn't changed at all and the actual operation is done in an eclass function called java-vm_set-pax-marking, which hasn't changed in nearly 3 years. I don't run any hardened systems so I can't verify this myself. Are you sure you haven't made some local change like mounting /var/tmp/portage on tmpfs?
(In reply to James Le Cuirot from comment #1) > Are you sure you haven't made some local change like mounting /var/tmp/portage on tmpfs? Nice. Yeah, I use tmpfs (~6.5GB, mounted with uid=portage,gid=portage,mode=0755,size=80%) for /var/tmp/portage. What's wrong with this? All other packages builds just fine, and get correct paxmarking.
Just in case you bother about xattr support for tmpfs: # zgrep XATTR /proc/config.gz CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_TMPFS_XATTR=y CONFIG_SQUASHFS_XATTR=y CONFIG_CIFS_XATTR=y CONFIG_PAX_XATTR_PAX_FLAGS=y
(In reply to James Le Cuirot from comment #1) > That's strange because that part of the ebuild hasn't changed at all and the > actual operation is done in an eclass function called > java-vm_set-pax-marking, which hasn't changed in nearly 3 years. I don't run > any hardened systems so I can't verify this myself. Are you sure you haven't > made some local change like mounting /var/tmp/portage on tmpfs? I can confirm this issue. I've downgraded to 7.2.5.3 and the correct XATTR_PAX paxmarking is there, upgrading to 7.2.5.5 makes them go away. I've looked that the ebuild but I'm not sure what causes it. Perhaps the patchelf stuff?
(In reply to Hans de Graaff from comment #4) > I've looked that the ebuild but I'm not sure what causes it. Perhaps the > patchelf stuff? Aaah, I was getting confused with the non-bin package earlier. It might be patchelf, it might be that I didn't ensure my build systems are mounted with xattrs enabled, or most likely it's because I forgot to enable the pax_kernel flag! I'm new to this, having taken on the task from Caster. He told me which flags to enable but didn't mention that one; perhaps he used a hardened system and it was set globally. I'll find out later whether one or more of these is the culprit.
It should just be a matter of marking the binaries with paxctl-ng -m and then repackaging. No need to do a complete rebuild.
This turned out to be a real puzzle. I had enabled acl on my build systems, at least for amd64 and x86. I enabled pax_kernel but that didn't actually help. I didn't check patchelf because I didn't need to in the end. So what was it? A couple of other things caught my eye. The paxmark.sh script changed the default markings from PT and XT to just PT in December but the icedtea ebuild uses the pax-utils.eclass as well as this script and that has defaulted to just PT for ages so that wasn't it. Perhaps Caster had set PAX_MARKINGS on his build system? I hadn't prepared the icedtea-bin tarball with xattrs enabled but neither had Caster so his PAX_MARKINGS setting would have been ineffective. I then checked the old icedtea-bin ebuild and suddenly remembered that I'd deleted this. # Remove on next bump as the needed marks are already set by icedtea ebuild. java-vm_set-pax-markings "${ddest}" D'oh! But I'd deleted it for the reason stated in the comment. Why was this a problem? The ebuild does indeed set them, twice in fact, because icedtea itself does it too. But rather than set PAX_MARKINGS correctly on my build system and get tar to honour xattrs, the right thing to do is actually disable them entirely and keep the above line so that the end-user's PAX_MARKINGS setting is respected instead of forcing mine on everybody. So I've bumped icedtea-bin with this line restored. The existing tarballs have the legacy markings present but this shouldn't do any harm. I'll disable them for the next version.
Fix confirmed. Thanks!
