1 |
On 06/07/14 17:48, "Tóth Attila" wrote: |
2 |
> 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: |
3 |
>> Some time ago I noticed this in kernel logs: |
4 |
>> kern.alert: grsec: denied RWX mmap of <anonymous mapping> by |
5 |
>> /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0 |
6 |
>> gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0 |
7 |
>> |
8 |
>> Looks like it doesn't break layman, but I still wonder why it happens and |
9 |
>> is it possible to fix this (without paxmarking python, of course)? |
10 |
> |
11 |
> I don't see this in my logs. The python executable has the "E" flag on my |
12 |
> systems. |
13 |
> |
14 |
> Dw. |
15 |
> |
16 |
|
17 |
Okay I need to document this loudly --- not sure how to do that except |
18 |
to just keep repeating it until it becomes public knowledge: |
19 |
|
20 |
When running with a pax kernel, you must enable EMUTRAMP in your Kconfig |
21 |
and you must paxmark your python exe's with E. Note: EMUTRAMP is on by |
22 |
default and the ebuild automatically does the markings for you, so leave |
23 |
the defaults alone. |
24 |
|
25 |
If you don't, python apps will hit rwx mmap denials by the pax kernel. |
26 |
Things like libffi try to work around this by spitting out little |
27 |
snippets of code to the filesystem when the mmap fails; but, if you have |
28 |
strict TPE on, even this workaround fails and you get a pretty dead |
29 |
system (all python apps badly crippled). There are various ways around |
30 |
this but we've settled on the EMUTRAMP solution. See |
31 |
|
32 |
https://bugs.gentoo.org/show_bug.cgi?id=484472 |
33 |
|
34 |
So my appologize everyone, we should do a better job at getting this |
35 |
information out. mea culpa. |
36 |
|
37 |
-- |
38 |
Anthony G. Basile, Ph. D. |
39 |
Chair of Information Technology |
40 |
D'Youville College |
41 |
Buffalo, NY 14201 |
42 |
(716) 829-8197 |