| 1 |
Hi list, |
| 2 |
|
| 3 |
I seem to have at least three problems related to PaX markings simultaneously, |
| 4 |
and since it's after midnight here and I need to write down some notes anyway |
| 5 |
so I know how to continue tomorrow, I might as well send them out to the world |
| 6 |
and see if someone else solves my problems for me while I'm asleep. |
| 7 |
|
| 8 |
It all started when I couldn't upgrade from my existing dev- |
| 9 |
java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the |
| 10 |
following messages at the bottom of the log: |
| 11 |
|
| 12 |
|
| 13 |
if [ -x /usr/sbin/paxmark.sh ] ; then \ |
| 14 |
if [ -w /export/portage/portage/dev- |
| 15 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ; then \ |
| 16 |
/usr/sbin/paxmark.sh -m /export/portage/portage/dev- |
| 17 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \ |
| 18 |
fi ; \ |
| 19 |
fi |
| 20 |
/usr/sbin/paxmark.sh: line 82: elog: command not found |
| 21 |
Makefile:124: recipe for target '/export/portage/portage/dev- |
| 22 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build- |
| 23 |
boot/classes/javax/management/ |
| 24 |
remote/rmi/RMIConnectionImpl_Stub.class' failed |
| 25 |
|
| 26 |
|
| 27 |
That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to |
| 28 |
call elog and fails. |
| 29 |
|
| 30 |
That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've |
| 31 |
obviously managed to build icedtea before, so let's downgrade to 0.8.4 and try |
| 32 |
again. The build dies in the same location, but without the line complaining |
| 33 |
about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about it: |
| 34 |
|
| 35 |
|
| 36 |
# /usr/sbin/paxmark.sh -m /export/portage/portage/dev- |
| 37 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java |
| 38 |
|
| 39 |
# echo $? |
| 40 |
1 |
| 41 |
|
| 42 |
# paxctl-ng -v /export/portage/portage/dev- |
| 43 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java |
| 44 |
/export/portage/portage/dev- |
| 45 |
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java: |
| 46 |
PT_PAX : -em-- |
| 47 |
XATTR_PAX : not found |
| 48 |
|
| 49 |
|
| 50 |
So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the code, |
| 51 |
paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, the |
| 52 |
entire thing returns failure. Unless PAX_MARKINGS is set, in which case that |
| 53 |
controls which type of markings is used. It isn't set on this machine. |
| 54 |
|
| 55 |
Problem number two: that's not what the docs say should happen. Acording to |
| 56 |
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart: |
| 57 |
|
| 58 |
"If you decide on PaX marking method, you should adjust PAX_MARKINGS variable |
| 59 |
in your /etc/portage/make.conf with either XT (for extended attributes) or PT |
| 60 |
(for program header marking). You can set both XT PT if you wish. Default is |
| 61 |
PT." |
| 62 |
|
| 63 |
But why isn't XATTR_PAX working? I thought I completed that transition ages |
| 64 |
ago. |
| 65 |
|
| 66 |
|
| 67 |
# paxctl-ng -v /bin/ls |
| 68 |
/bin/ls: |
| 69 |
PT_PAX : -e--- |
| 70 |
XATTR_PAX : not found |
| 71 |
|
| 72 |
|
| 73 |
Obviously not. Maybe I forgot this machine. Would it work? |
| 74 |
|
| 75 |
|
| 76 |
# paxctl-ng -F /bin/ls |
| 77 |
|
| 78 |
# paxctl-ng -v /bin/ls |
| 79 |
/bin/ls: |
| 80 |
PT_PAX : -e--- |
| 81 |
XATTR_PAX : -e--- |
| 82 |
|
| 83 |
|
| 84 |
Yes. So why couldn't paxmark.sh set XATTR_PAX? |
| 85 |
|
| 86 |
|
| 87 |
# paxctl-ng -d /bin/ls |
| 88 |
|
| 89 |
# paxctl-ng -v /bin/ls |
| 90 |
/bin/ls: |
| 91 |
PT_PAX : -e--- |
| 92 |
XATTR_PAX : not found |
| 93 |
|
| 94 |
# cp /bin/ls $PORTAGE_TMPDIR |
| 95 |
|
| 96 |
# paxctl-ng -v $PORTAGE_TMPDIR/ls |
| 97 |
/export/portage/ls: |
| 98 |
PT_PAX : -e--- |
| 99 |
XATTR_PAX : not found |
| 100 |
|
| 101 |
# paxctl-ng -F $PORTAGE_TMPDIR/ls |
| 102 |
|
| 103 |
# echo $? |
| 104 |
1 |
| 105 |
|
| 106 |
# paxctl-ng -v $PORTAGE_TMPDIR/ls |
| 107 |
/export/portage/ls: |
| 108 |
PT_PAX : -e--- |
| 109 |
XATTR_PAX : not found |
| 110 |
|
| 111 |
# strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 | grep user.pax |
| 112 |
fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not |
| 113 |
supported) |
| 114 |
|
| 115 |
|
| 116 |
OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR. |
| 117 |
They're on different mounts, so that's not unreasonable. But where do they |
| 118 |
differ? |
| 119 |
|
| 120 |
|
| 121 |
# di -h /bin |
| 122 |
Filesystem Mount Size Used Avail %Used fs Type |
| 123 |
/dev/root / 75,0G 56,7G 14,5G 81% ext4 |
| 124 |
|
| 125 |
# di -h $PORTAGE_TMPDIR |
| 126 |
Filesystem Mount Size Used Avail %Used fs Type |
| 127 |
/dev/mapper/crypt- /export 2,5T 2,2T 258,8G 90% ext3 |
| 128 |
|
| 129 |
# grep -E ' (/|/export) ' /proc/mounts |
| 130 |
rootfs / rootfs rw 0 0 |
| 131 |
/dev/root / ext4 rw,relatime,data=ordered 0 0 |
| 132 |
/dev/mapper/crypt-export /export ext3 |
| 133 |
rw,noatime,errors=continue,barrier=1,data=ordered 0 0 |
| 134 |
|
| 135 |
# tune2fs -l /dev/root | grep ext_attr |
| 136 |
Filesystem features: has_journal ext_attr resize_inode dir_index filetype |
| 137 |
needs_recovery extent sparse_super large_file uninit_bg |
| 138 |
|
| 139 |
# tune2fs -l /dev/mapper/crypt-export | grep ext_attr |
| 140 |
Filesystem features: has_journal ext_attr resize_inode dir_index filetype |
| 141 |
needs_recovery sparse_super large_file |
| 142 |
|
| 143 |
|
| 144 |
So it works on ext4, but not ext3, even though both have the ext_attr flag on |
| 145 |
disk. Any difference in kernel support? |
| 146 |
|
| 147 |
|
| 148 |
# uname -r |
| 149 |
3.16.5-hardened |
| 150 |
|
| 151 |
# gunzip -c /proc/config.gz | grep XATTR |
| 152 |
CONFIG_EXT3_FS_XATTR=y |
| 153 |
CONFIG_TMPFS_XATTR=y |
| 154 |
CONFIG_PAX_XATTR_PAX_FLAGS=y |
| 155 |
|
| 156 |
# gunzip -c /proc/config.gz | grep EXT[34] |
| 157 |
CONFIG_EXT3_FS=y |
| 158 |
CONFIG_EXT3_DEFAULTS_TO_ORDERED=y |
| 159 |
CONFIG_EXT3_FS_XATTR=y |
| 160 |
# CONFIG_EXT3_FS_POSIX_ACL is not set |
| 161 |
CONFIG_EXT3_FS_SECURITY=y |
| 162 |
CONFIG_EXT4_FS=y |
| 163 |
CONFIG_EXT4_USE_FOR_EXT23=y |
| 164 |
# CONFIG_EXT4_FS_POSIX_ACL is not set |
| 165 |
CONFIG_EXT4_FS_SECURITY=y |
| 166 |
# CONFIG_EXT4_DEBUG is not set |
| 167 |
|
| 168 |
|
| 169 |
Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it should |
| 170 |
be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set. |
| 171 |
|
| 172 |
Which brings us to problem number three: why aren't xattrs working in |
| 173 |
$PORTAGE_TMPDIR on ext3 when they are in /bin on ext4? |
| 174 |
|
| 175 |
Problems one and two are clearly bugs, one in sys-apps/elfix and two in sys- |
| 176 |
apps/elfix or the documentation. Should I file them in Bugzilla, or is this |
| 177 |
mail enough? |
| 178 |
|
| 179 |
Problem three seems to be unique to this machine. Does anyone know what's |
| 180 |
going on? |
| 181 |
|
| 182 |
-- |
| 183 |
Karl-Johan Karlsson |
Archives