| 1 |
On 06/07/14 17:48, "Tóth Attila" wrote: |
| 2 |
> 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: |
| 3 |
>> Some time ago I noticed this in kernel logs: |
| 4 |
>> kern.alert: grsec: denied RWX mmap of <anonymous mapping> by |
| 5 |
>> /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0 |
| 6 |
>> gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0 |
| 7 |
>> |
| 8 |
>> Looks like it doesn't break layman, but I still wonder why it happens and |
| 9 |
>> is it possible to fix this (without paxmarking python, of course)? |
| 10 |
> |
| 11 |
> I don't see this in my logs. The python executable has the "E" flag on my |
| 12 |
> systems. |
| 13 |
> |
| 14 |
> Dw. |
| 15 |
> |
| 16 |
|
| 17 |
Okay I need to document this loudly --- not sure how to do that except |
| 18 |
to just keep repeating it until it becomes public knowledge: |
| 19 |
|
| 20 |
When running with a pax kernel, you must enable EMUTRAMP in your Kconfig |
| 21 |
and you must paxmark your python exe's with E. Note: EMUTRAMP is on by |
| 22 |
default and the ebuild automatically does the markings for you, so leave |
| 23 |
the defaults alone. |
| 24 |
|
| 25 |
If you don't, python apps will hit rwx mmap denials by the pax kernel. |
| 26 |
Things like libffi try to work around this by spitting out little |
| 27 |
snippets of code to the filesystem when the mmap fails; but, if you have |
| 28 |
strict TPE on, even this workaround fails and you get a pretty dead |
| 29 |
system (all python apps badly crippled). There are various ways around |
| 30 |
this but we've settled on the EMUTRAMP solution. See |
| 31 |
|
| 32 |
https://bugs.gentoo.org/show_bug.cgi?id=484472 |
| 33 |
|
| 34 |
So my appologize everyone, we should do a better job at getting this |
| 35 |
information out. mea culpa. |
| 36 |
|
| 37 |
-- |
| 38 |
Anthony G. Basile, Ph. D. |
| 39 |
Chair of Information Technology |
| 40 |
D'Youville College |
| 41 |
Buffalo, NY 14201 |
| 42 |
(716) 829-8197 |
Archives