Created attachment 467880 [details] messages_170321_1009_g5n This bug I originally mis-reported at: https://bugs.gentoo.org/show_bug.cgi?id=573758 Sorry! (and I'm just pasting all over, I have no new info) When installing Firefox ( Pls., I don't use Firefox anymore, I use Palemoon. I'm only following Firefox out of curiosity and spite after they ruined it all for me with: Require PulseAudio to play sound on Linux https://bugzilla.mozilla.org/show_bug.cgi?id=1247056 ) So, [when installing Firefox] this happened, (from /var/log/messages): Mar 21 10:08:26 g5n kernel: [172037.447577] grsec: (admin:S:/) exec of /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/ _virtualenv/bin/python2.7 (/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/ _virtualenv/bin/python2.7 - setuptools pip wheel ) by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/ _virtualenv/bin/python2.7[python2.7:15256] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254] uid/euid:250/250 gid/egid:250/250 Mar 21 10:08:26 g5n kernel: [172037.765438] grsec: (admin:S:/) denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/ _virtualenv/bin/python2.7[python2.7:15256] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254] uid/euid:250/250 gid/egid:250/250 See all of it (and more, I only partly understand it) in the attachment: messages_170321_1009_g5n And in the other attachment (that I'll post with the next comment): www-client_firefox-52.0.1_20170321-090648.log find: checking for PIE support... no configure: error: --enable-pie requires PIE support from the linker. The two excerpts above, to my best understanding belong to the same event. PIE means, IIUC, position independent executable (the way in which binaries are installed in a hardened system, like mine). I do have in /etc/portage/make.conf : PAX_MARKINGS="XT" So this: # paxctl-ng -v /usr/bin/python2.7 /usr/bin/python2.7: PT_PAX : not found XATTR_PAX : -E--- # [so this] is all regular. I also have: CONFIG_TMPFS_XATTR=y CONFIG_PAX_XATTR_PAX_FLAGS=y in all my hardened kernels (including the running one). When installing firefox-51.0.1 some three weeks ago I didn't have any issues, excerpt from the log in /var/log/portage/<firefox-51.0.1>.log : checking for shmat... yes checking for IceConnectionNumber in -lICE... yes checking for --noexecstack option to as... yes checking for -z noexecstack option to ld... yes checking for -z text option to ld... yes checking for --ignore-unresolved-symbol option to ld... yes checking if toolchain supports -mssse3 option... yes checking if toolchain supports -msse4.1 option... yes checking for x86 AVX2 asm support in compiler... yes checking for PIE support... yes ^^^^^^^^^^^^^ ||||||||||||| See the PIE support... yes above. How's that not working now?
Created attachment 467882 [details] www-client_firefox-52.0.1_20170321-090648.log (the attachment promised in the previous post)
Created attachment 467884 [details] emerge--info_4.9.16-hardened It doesn't work (all the errors are the same) with all the latest updates, including the hardened kernel.
Same error here, but I doubt it's related to python mmap: configure:6567: checking for PIE support configure:6578: [...]x86_64-pc-linux-gnu-gcc -std=gnu99 -o conftest -fno-lifetime-dse -fno-strict-aliasing -fno-math-errno -Wl,-O1 -Wl,--as-needed -Wl,-rpath=/usr/lib64/firefox,--enable-new-dtags -Wl,-z,relro,-z,now -Wl,-z,noexecstack -Wl,-z,text -pie conftest.c 1>&5 /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: error: /var/tmp/portage/www-client/firefox-52.0.1/temp/xxxxxx.o: requires dynamic R_X86_64_PC32 reloc against '__stack_chk_fail' which may overflow at runtime; recompile with -fPIC /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: error: read-only segment has dynamic relocations collect2: error: ld returned 1 exit status As suggested, I added -fPIC to that check in old-configure and it was able to go past the PIE check to die later in js/src dir with same symptoms.
Wrong number, overlooked Bug 613340 somehow.
GOOD NEWS I had the same error message, but ran "emerge -e @world" and the problem went away -- firefox-52.0.1 compiled fine when its turn came in the world rebuild. Background More Detailed Information (might or might not be relevant): On March 11 I switched from gcc-4.9.4 to gcc-5.4.0-r3 and, per the Wiki directions for changing from gcc 4 to gcc 5, I generated the list of programs using C++ (which included firefox-51.0.1) and emerged them. Firefox-51.0.1 compiled fine. I then immediately ran an "emerge -e @system". On March 20 I attempted to compile firefox-52.0.1 and encountered the subject difficulty with an error message indicating missing PIE support in the linker. I then ran another "emerge -e @system" followed by an "emerge -e @world". When the "emerge -e @world" reached firefox-52.0.1 it compiled with no problems indicated.
(I don't believe it would be solved by just emerge -e @system in my case, as per the latter email.) (In reply to ak from comment #4) > Wrong number, overlooked Bug 613340 somehow. Good that you made that mistake! For me, it solved it after I bumped the old (not in portage testing, but i keep portage snapshots in the distfiles/) 51.0.1, and as per: www-client/firefox-52.0.1: relocation R_X86_64_PC32 against undefined symbol `__stack_chk_fail@@GLIBC_2.4' can not be used when making a shared object; recompile with -fPIC https://bugs.gentoo.org/show_bug.cgi?id=613340#c6 I added where this line (and the previous backslash) was missing (but I best give it with the context): diff -u portage-20170227/www-client/firefox/firefox-51.0.1.ebuild /usr/portage/www-client/firefox/firefox-52.0.1.ebuild src_prepare() { # Apply our patches - eapply "${WORKDIR}/firefox" \ - "${FILESDIR}"/fix_hardened_pie_detection.patch + eapply "${WORKDIR}/firefox" # Enable gnomebreakpad And... And now firefox-2.0.1 is compiling. Of course, the relevant lines in configure looked like this: grep -C3 PIE /var/log/portage/www-client\:firefox-52.0.1-r1\:20170322-114149.log checking if toolchain supports -mssse3 option... yes checking if toolchain supports -msse4.1 option... yes checking for x86 AVX2 asm support in compiler... yes checking for PIE support... yes I'll be back only it would not build successfuly. Regards!
Correct me if I'm wrong, pls. but I think this bug is the duplicate of that other one: www-client/firefox-52.0.1: relocation R_X86_64_PC32 against undefined symbol `__stack_chk_fail@@GLIBC_2.4' can not be used when making a shared object; recompile with -fPIC https://bugs.gentoo.org/show_bug.cgi?id=613340 and thus, this bug is resolve as well... (Pls. do correct me if I'm wrong.) *** This bug has been marked as a duplicate of bug 613340 ***
