1 |
Hello! |
2 |
|
3 |
|
4 |
Just a short follow-up: I installed 319.49 as well, but the situation |
5 |
is the same. A lot of applications give this error: |
6 |
|
7 |
error while loading shared libraries: libGL.so.1: failed to map |
8 |
segment from shared object: Operation not permitted |
9 |
|
10 |
So no difference between 325.15 and 319.49 from this point of view. |
11 |
|
12 |
I kept MPROTECT after all as you guys recommended, and I decided to use |
13 |
revdep-pax. Unfortunately I encountered the following issue: |
14 |
|
15 |
# revdep-pax -m -l /usr/lib/libGL.so |
16 |
libGL.so.1 /usr/lib64/opengl/nvidia/lib/libGL.so.319.49 :X86_64 (-em--) |
17 |
|
18 |
/usr/bin/cairo-sphinx ( -e--- ) |
19 |
/usr/bin/glxgears ( -e--- ) |
20 |
/usr/lib64/libcairo.so.2.11200.14 ( -e--- ) |
21 |
/usr/bin/vwebp ( -e--- ) |
22 |
/usr/lib64/libwebkitgtk-1.0.so.0.13.4 ( -e--- ) |
23 |
/usr/bin/glxinfo ( -e--- ) |
24 |
/usr/bin/xdriinfo ( -e--- ) |
25 |
/usr/lib64/libglut.so.3.9.0 ( -e--- ) |
26 |
/usr/lib64/libva-glx.so.1.3300.0 ( -e--- ) |
27 |
/usr/lib64/libGLU.so.1.3.1 ( -e--- ) |
28 |
/usr/lib64/va/drivers/vdpau_drv_video.so ( -e--- ) |
29 |
|
30 |
Will mark elf with -em-- |
31 |
|
32 |
Set flags for /usr/bin/cairo-sphinx (y/n): y |
33 |
|
34 |
/usr/bin/cairo-sphinx ( ----- ) |
35 |
|
36 |
Set flags for /usr/bin/glxgears (y/n): y |
37 |
|
38 |
/usr/bin/glxgears ( ----- ) |
39 |
|
40 |
The script actually *erased* the pax markings, instead of marking with |
41 |
-em--: |
42 |
|
43 |
# paxctl-ng -v /usr/bin/glxgears |
44 |
/usr/bin/glxgears: |
45 |
PT_PAX : ----- |
46 |
XATTR_PAX : ----- |
47 |
|
48 |
Do you have any ideas about this issue? |
49 |
|
50 |
Notes: I use PT markings in kernel, and I have PAX_MARKINGS="PT" in |
51 |
make.conf. |
52 |
|
53 |
Thanks, |
54 |
Balint |
55 |
|
56 |
On Sat, 14 Sep 2013 15:33:56 +0300 |
57 |
Balint Szente <balint@×××××××××.ro> wrote: |
58 |
|
59 |
> [...] |
60 |
> I understand and fully agree that CONFIG_PAX_MPROTECT is very |
61 |
> important for security. However, I had to "-m" mark *a lot* of |
62 |
> applications: |
63 |
> |
64 |
> Xorg, i3, i3bar, i3-nagbar and even "simple" GTK applications like |
65 |
> claws-mail that has nothing with GLX (or maybe GTK has). |
66 |
> |
67 |
> I'm aware of the latest-stable ebuild issue with the pax-const.patch, |
68 |
> but do you think it would make a difference from MPROTECT marking |
69 |
> point of view? Is 319.49 behaving "more nicely" then 325.15? |