dev-lang/python-3.5.2: /usr/lib/portage/python3.5/ebuild-helpers/xattr/install -c -m 644 /var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Include/fileobject.h /usr/include/python3.5m Traceback (most recent call last): File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 2299, in <module> main() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 2293, in main "Tools/scripts/2to3", "Tools/scripts/pyvenv"] File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/core.py", line 148, in setup dist.run_commands() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 955, in run_commands self.run_command(cmd) File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 974, in run_command cmd_obj.run() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build.py", line 135, in run self.run_command(cmd_name) File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/cmd.py", line 313, in run_command self.distribution.run_command(command) File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/dist.py", line 974, in run_command cmd_obj.run() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 338, in run self.build_extensions() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/setup.py", line 289, in build_extensions build_ext.build_extensions(self) File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 445, in build_extensions self._build_extensions_parallel() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 464, in _build_extensions_parallel for ext in self.extensions] File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/distutils/command/build_ext.py", line 464, in <listcomp> /usr/lib/portage/python3.5/ebuild-helpers/xattr/install -c -m 644 /var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Include/fileutils.h /usr/include/python3.5m for ext in self.extensions] File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/concurrent/futures/thread.py", line 113, in submit self._adjust_thread_count() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/concurrent/futures/thread.py", line 129, in _adjust_thread_count t.start() File "/var/tmp/portage/dev-lang/python-3.5.2/work/Python-3.5.2/Lib/threading.py", line 844, in start _start_new_thread(self._bootstrap, ()) RuntimeError: can't start new thread Makefile:615: recipe for target 'sharedmods' failed make: *** [sharedmods] Error 1 make: *** Waiting for unfinished jobs.... In the mean time kernel logs show this: Jul 27 09:21:29 kernel: grsec: From X.Y.Z.V: (admin:S:/) denied RWX mmap of <anonymous mapping> by /var/tmp/portage/dev-lang/python-3.5.2/work/x86_64-pc-linux-gnu/python[python:26031] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:26030] uid/euid:0/0 gid/egid:0/0 If I manually disable mprotect on the binary shown in the logs (/var/tmp/portage/dev-lang/python-3.5.2/work/x86_64-pc-linux-gnu/python), the install can sucessfully finish. At this time I have both PT_PAX and XT_PAX enabled in the kernel and in my userland. The markings on the python binaries seem to be all right otherwise (explicit E for EMUTRAMP). Sidenote: some packages requiring python-2.7 also started failing for reasons seem to be kinda similar. media-sound/mixxx-2.0.0-r1: scons: done reading SConscript files. error: can't start new thread: File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1372: _exec_main(parser, values) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1335: _main(parser) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1099: nodes = _build_targets(fs, options, targets, target_top) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1259: jobs = SCons.Job.Jobs(num_jobs, taskmaster) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 92: self.job = Parallel(taskmaster, num, stack_size) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 365: self.tp = ThreadPool(num, stack_size, self.interrupted) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 295: worker = Worker(self.requestQueue, self.resultsQueue, interrupted) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 242: self.start() File "/usr/lib64/python2.7/threading.py", line 736: _start_new_thread(self.__bootstrap, ()) * ERROR: media-sound/mixxx-2.0.0-r1::gentoo failed (compile phase): * escons failed. Jul 27 09:04:13 kernel: grsec: From X.Y.Z.V: (admin:S:/) denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python2.7:12192] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:12101] uid/euid:250/250 gid/egid:250/250 Disabling mprotect on the python binary could solve the issue (it fails in another way now, unrelated to this issue). Another package triggers RWX mapping: media-video/mpv-0.18.1 - I'm not sure if I should open separate bugs on these...
dev-lang/python-3.4 seems to work well without mprotect. It might be some python-3.5 module?
(In reply to Attila Tóth from comment #1) > dev-lang/python-3.4 seems to work well without mprotect. > It might be some python-3.5 module? python-3.5.1-r2 and python-3.5.1-r3 are also affected.
the question is what code wants to allocate rwx maps and for what purpose. can you extract and strace a failing command to see what the exact request is? also check that the failing program doesn't load any libraries with a bad GNU_STACK header.
(In reply to PaX Team from comment #3) > the question is what code wants to allocate rwx maps and for what purpose. > can you extract and strace a failing command to see what the exact request > is? also check that the failing program doesn't load any libraries with a > bad GNU_STACK header. I'm having trouble reproducing the problem. Sending an email about some details.
Reason was: toolchain generated binaries without GNU_STACK header. The issue is no longer present on my system and I cannot reproduce it.