| 1 |
Hello! |
| 2 |
|
| 3 |
|
| 4 |
Just a short follow-up: I installed 319.49 as well, but the situation |
| 5 |
is the same. A lot of applications give this error: |
| 6 |
|
| 7 |
error while loading shared libraries: libGL.so.1: failed to map |
| 8 |
segment from shared object: Operation not permitted |
| 9 |
|
| 10 |
So no difference between 325.15 and 319.49 from this point of view. |
| 11 |
|
| 12 |
I kept MPROTECT after all as you guys recommended, and I decided to use |
| 13 |
revdep-pax. Unfortunately I encountered the following issue: |
| 14 |
|
| 15 |
# revdep-pax -m -l /usr/lib/libGL.so |
| 16 |
libGL.so.1 /usr/lib64/opengl/nvidia/lib/libGL.so.319.49 :X86_64 (-em--) |
| 17 |
|
| 18 |
/usr/bin/cairo-sphinx ( -e--- ) |
| 19 |
/usr/bin/glxgears ( -e--- ) |
| 20 |
/usr/lib64/libcairo.so.2.11200.14 ( -e--- ) |
| 21 |
/usr/bin/vwebp ( -e--- ) |
| 22 |
/usr/lib64/libwebkitgtk-1.0.so.0.13.4 ( -e--- ) |
| 23 |
/usr/bin/glxinfo ( -e--- ) |
| 24 |
/usr/bin/xdriinfo ( -e--- ) |
| 25 |
/usr/lib64/libglut.so.3.9.0 ( -e--- ) |
| 26 |
/usr/lib64/libva-glx.so.1.3300.0 ( -e--- ) |
| 27 |
/usr/lib64/libGLU.so.1.3.1 ( -e--- ) |
| 28 |
/usr/lib64/va/drivers/vdpau_drv_video.so ( -e--- ) |
| 29 |
|
| 30 |
Will mark elf with -em-- |
| 31 |
|
| 32 |
Set flags for /usr/bin/cairo-sphinx (y/n): y |
| 33 |
|
| 34 |
/usr/bin/cairo-sphinx ( ----- ) |
| 35 |
|
| 36 |
Set flags for /usr/bin/glxgears (y/n): y |
| 37 |
|
| 38 |
/usr/bin/glxgears ( ----- ) |
| 39 |
|
| 40 |
The script actually *erased* the pax markings, instead of marking with |
| 41 |
-em--: |
| 42 |
|
| 43 |
# paxctl-ng -v /usr/bin/glxgears |
| 44 |
/usr/bin/glxgears: |
| 45 |
PT_PAX : ----- |
| 46 |
XATTR_PAX : ----- |
| 47 |
|
| 48 |
Do you have any ideas about this issue? |
| 49 |
|
| 50 |
Notes: I use PT markings in kernel, and I have PAX_MARKINGS="PT" in |
| 51 |
make.conf. |
| 52 |
|
| 53 |
Thanks, |
| 54 |
Balint |
| 55 |
|
| 56 |
On Sat, 14 Sep 2013 15:33:56 +0300 |
| 57 |
Balint Szente <balint@×××××××××.ro> wrote: |
| 58 |
|
| 59 |
> [...] |
| 60 |
> I understand and fully agree that CONFIG_PAX_MPROTECT is very |
| 61 |
> important for security. However, I had to "-m" mark *a lot* of |
| 62 |
> applications: |
| 63 |
> |
| 64 |
> Xorg, i3, i3bar, i3-nagbar and even "simple" GTK applications like |
| 65 |
> claws-mail that has nothing with GLX (or maybe GTK has). |
| 66 |
> |
| 67 |
> I'm aware of the latest-stable ebuild issue with the pax-const.patch, |
| 68 |
> but do you think it would make a difference from MPROTECT marking |
| 69 |
> point of view? Is 319.49 behaving "more nicely" then 325.15? |
Archives