| 1 |
On 12/13/14 18:52, Karl-Johan Karlsson wrote: |
| 2 |
|
| 3 |
> |
| 4 |
> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to |
| 5 |
> call elog and fails. |
| 6 |
|
| 7 |
I'll fix this. I missed it when I copied from the eclass where we do |
| 8 |
want elog. |
| 9 |
|
| 10 |
> |
| 11 |
> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about it: |
| 12 |
> |
| 13 |
> |
| 14 |
> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev- |
| 15 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java |
| 16 |
> |
| 17 |
> # echo $? |
| 18 |
> 1 |
| 19 |
|
| 20 |
I intentionally left off diagnostics because in the middle of a build |
| 21 |
system you will know where it failed. make will stop on shell false. |
| 22 |
|
| 23 |
> |
| 24 |
> |
| 25 |
> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the code, |
| 26 |
> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, the |
| 27 |
> entire thing returns failure. Unless PAX_MARKINGS is set, in which case that |
| 28 |
> controls which type of markings is used. It isn't set on this machine. |
| 29 |
|
| 30 |
That is the correct behavior. If you want for both PT and XATTR_PAX |
| 31 |
flags to be set and either fail (or both) you want ret=1. |
| 32 |
|
| 33 |
> |
| 34 |
> Problem number two: that's not what the docs say should happen. Acording to |
| 35 |
> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart: |
| 36 |
> |
| 37 |
> "If you decide on PaX marking method, you should adjust PAX_MARKINGS variable |
| 38 |
> in your /etc/portage/make.conf with either XT (for extended attributes) or PT |
| 39 |
> (for program header marking). You can set both XT PT if you wish. Default is |
| 40 |
> PT." |
| 41 |
|
| 42 |
So the real bug is that PAX_MARKINGS is not inherited in that |
| 43 |
environment. It is set according to that logic in the eclass which is |
| 44 |
inherited by the icedtea ebuild and should percolate down but apparently |
| 45 |
doesn't. Thanks that would have been hard to catch except in the wild. |
| 46 |
|
| 47 |
> |
| 48 |
> But why isn't XATTR_PAX working? I thought I completed that transition ages |
| 49 |
> ago. |
| 50 |
> |
| 51 |
|
| 52 |
> So it works on ext4, but not ext3, even though both have the ext_attr flag on |
| 53 |
> disk. Any difference in kernel support? |
| 54 |
> |
| 55 |
|
| 56 |
Because on ext3 you need to add user_xattr to the mount options. Either |
| 57 |
`mount -o user_xattr` or in fstab in column 4 like this |
| 58 |
|
| 59 |
/dev/sdb5 /tmp ext3 user_xattr 0 1 |
| 60 |
|
| 61 |
Its automatic on ext4. `man mount` for more info. Please let me know |
| 62 |
if this works for you. Is that in the Pax_Quickstart? If not we should |
| 63 |
add it. |
| 64 |
|
| 65 |
|
| 66 |
-- |
| 67 |
Anthony G. Basile, Ph. D. |
| 68 |
Chair of Information Technology |
| 69 |
D'Youville College |
| 70 |
Buffalo, NY 14201 |
| 71 |
(716) 829-8197 |
Archives