| 1 |
2013.Május 30.(Cs) 17:45 időpontban Magnus Granberg ezt írta: |
| 2 |
> torsdag 30 maj 2013 11.13.45 skrev Anthony G. Basile: |
| 3 |
>> |
| 4 |
>> migrate-pax also will copy PT_PAX to XATTR_PAX flags identically with |
| 5 |
>> one exception, if PT_PAX = "-e---" then no user.pax.flags xattr is |
| 6 |
>> created. I am always thinking in terms of either PAX_PT_PAX_FLAGS xor |
| 7 |
>> PAX_XATTR_PAX_FLAGS is on, not both. When both are on, we fall back on |
| 8 |
>> what you describe. So I adopted the approach: don't copy "-e---" to |
| 9 |
>> XATTR_PAX and when you reboot into a PAX_PT_PAX_FLAGS=n and |
| 10 |
>> PAX_XATTR_PAX_FLAGS=y kernel, you'll get the desired behavior. |
| 11 |
>> |
| 12 |
>> A good approach or no? |
| 13 |
> To use xattr pax flags PAX_MARKINGS need to be set to XT in make.conf |
| 14 |
> else will portage default to PT when marking. |
| 15 |
> Python need EMUTRAMP enable in the kernel with newer libffi and python |
| 16 |
> and have the E mark on the binary. |
| 17 |
> /Magnus |
| 18 |
> |
| 19 |
> |
| 20 |
|
| 21 |
Thx for pointing that out. |
| 22 |
|
| 23 |
Note, that pax-utils eclass gentoo page describes the default action |
| 24 |
twice, differently: |
| 25 |
http://devmanual.gentoo.org/eclass-reference/pax-utils.eclass/index.html |
| 26 |
In the DESCRIPTION: |
| 27 |
"To control what markings are made, set PAX_MARKINGS in |
| 28 |
/etc/portage/make.conf to contain either "PT", "XT" or "none". The default |
| 29 |
is to attempt both PT_PAX and XATTR_PAX." |
| 30 |
In ECLASS VARIABLES: |
| 31 |
"Control which markings are made: PT = PT_PAX markings, XT = XATTR_PAX |
| 32 |
markings Default to PT markings." |
| 33 |
It would be good to make it unambiguous. |
| 34 |
|
| 35 |
I've appended PAX_MARKINGS="XT" to my make.conf, emerging python 3.2 dies |
| 36 |
in install phase with the following log snippet: |
| 37 |
--- |
| 38 |
Skipping: CDSL_CURRENT = INT_MAX |
| 39 |
* XT PaX marking -E with paxctl-ng |
| 40 |
* python |
| 41 |
>>> Source compiled. |
| 42 |
>>> Test phase [not enabled]: dev-lang/python-3.2.5 |
| 43 |
|
| 44 |
>>> Install python-3.2.5 into |
| 45 |
/var/tmp/portage/dev-lang/python-3.2.5/image/ category dev-lang |
| 46 |
make -j3 DESTDIR=/var/tmp/portage/dev-lang/python-3.2.5/image/ altinstall |
| 47 |
Creating directory /usr/bin |
| 48 |
/bin/sh: line 5: 24666 Killed |
| 49 |
LD_LIBRARY_PATH=/var/tmp/portage/dev-lang/python-3.2.5/work/x86_64-pc-linux-gnu: |
| 50 |
CC='x86_64-pc-linux-gnu-gcc -pthread' LDSHARED='x86_64-pc-linux-gnu-gcc |
| 51 |
-pthread -shared -Wl,-O1 -Wl,--as-needed -L. -Wl,-O1 -Wl,--as-needed -L.' |
| 52 |
CFLAGS=' -DNDEBUG -O2 -march=corei7-avx -pipe -fwrapv -O2 |
| 53 |
-march=corei7-avx -pipe -fwrapv ' ./python -E |
| 54 |
/var/tmp/portage/dev-lang/python-3.2.5/work/Python-3.2.5/setup.py $quiet |
| 55 |
build |
| 56 |
make: *** [sharedmods] Error 137 |
| 57 |
make: Creating directory /usr/include |
| 58 |
*** Waiting for unfinished jobs.... |
| 59 |
--- |
| 60 |
|
| 61 |
Let's check the marking on two python binaries. |
| 62 |
|
| 63 |
First the python binary the install tries to execute in the arch directory: |
| 64 |
paxctl-ng -v |
| 65 |
/var/tmp/portage/dev-lang/python-3.2.5/work/x86_64-pc-linux-gnu/python |
| 66 |
/var/tmp/portage/dev-lang/python-3.2.5/work/x86_64-pc-linux-gnu/python: |
| 67 |
PT_PAX : -e--- |
| 68 |
XATTR_PAX : -E--- |
| 69 |
|
| 70 |
If I try to manually execute the binary in the arch directory having XT |
| 71 |
emutramp enabled, it results in an instant kill. If I disable emutramp for |
| 72 |
both PT and XT, the binary executes fine. |
| 73 |
|
| 74 |
Next the python binary located in the image directory: |
| 75 |
axctl-ng -v /var/tmp/portage/dev-lang/python-3.2.5/image/usr/bin/python3.2 |
| 76 |
/var/tmp/portage/dev-lang/python-3.2.5/image/usr/bin/python3.2: |
| 77 |
PT_PAX : -e--- |
| 78 |
XATTR_PAX : not found |
| 79 |
|
| 80 |
If I try to manually execute the binary in the image directory, it shows |
| 81 |
normal behavior and display the python interpreter's prompt. |
| 82 |
|
| 83 |
My conclusions: |
| 84 |
On my systems XT markings make.conf entry causes troubles during the |
| 85 |
install phase while emerging python. |
| 86 |
The reason for the fail is that the binary gets killed instantly with |
| 87 |
EMUTRAMP on for XT. |
| 88 |
The binary in the image directory lack XT markings. I don't know if later |
| 89 |
it would get further markings, but it seems to me the markings are |
| 90 |
performed just before the install phase. |
| 91 |
|
| 92 |
So EMUTRAMP seems to harm python's normal execution and it's possible the |
| 93 |
necessary XT markings would not happen on the actual binary which will be |
| 94 |
qmerged to the system - as expected. |
| 95 |
|
| 96 |
I'm using the latest elfix from the hardened overlay, have this one |
| 97 |
specified in my repos.conf: |
| 98 |
--- |
| 99 |
[DEFAULT] |
| 100 |
# eclasses provided by hardened-dev takes precedence over |
| 101 |
# identically named eclasses that are provided by gentoo |
| 102 |
eclass-overrides = hardened-dev |
| 103 |
|
| 104 |
[gentoo] |
| 105 |
eclass-overrides = hardened-dev |
| 106 |
--- |
| 107 |
And I'm doing emerge --regen routinely after portage & layman syncs. |
| 108 |
|
| 109 |
I would be more than happy for doing some further testing or providing |
| 110 |
more info as needed. |
| 111 |
|
| 112 |
Regards: |
| 113 |
Dw. |
| 114 |
-- |
| 115 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 116 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
Archives