Project: v8 Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 607 v8 build failes on Gentoo Hardened Linux when built as part of www-client/chromium-5.0.307.5
Starred by 9 users Reported by damienka...@gmail.com, Feb 10 2010 Back to list
Status: PendingFurtherInfo
Owner: ----
Closed: Jul 2014
HW: ----
OS: ----
Priority: ----
Type: ----



Sign in to add a comment
I have been trying to build chromium on a Gentoo Hardened workstation. The
build fails because mksnapshot is killed by pax.

http://bugs.gentoo.org/show_bug.cgi?id=301880

I have built the code by hand which completes but for some reason the
packaged version uses a binary that violates one of the execution
restrictions enforced in hardened Linux. 
 
The full details of the bug report on bugs.gentoo.org are:

When building www-client/chromium-4.0.295.0 on a Gentoo Hardened box the build
fails with error:

export
LD_LIBRARY_PATH=/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/lib.host:/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/lib.target:$LD_LIBRARY_PATH;
cd v8/tools/gyp; mkdir -p
/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni;
"/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot"
"/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni/snapshot.cc"
/bin/sh: line 1: 22008 Killed                 
"/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot"
"/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/obj.target/geni/snapshot.cc"
make: *** [out/Release/obj.target/geni/snapshot.cc] Error 137
 *
 * ERROR: www-client/chromium-4.0.295.0 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 2248:  Called die
 * The specific snippet of code:
 *       emake -r V=1 chrome chrome_sandbox BUILDTYPE=Release rootdir="${S}"
CC=$(tc-getCC) CXX=$(tc-getCXX) AR=$(tc-getAR) RANLIB=$(tc-getRANLIB) || die
"compilation failed"

dmesg:

[ 7175.553500] PAX: execution attempt in: <anonymous mapping>,
4b3f6000-4b497000 4b3f6000
[ 7175.553505] PAX: terminating task:
/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot(mksnapshot):22008,
uid/euid: 0/0, PC: 4b4366c0, SP: b9e3da1c
[ 7175.553512] PAX: bytes at PC: 55 8b ec 6a 02 6a 02 57 56 53 ff 35 94 aa 9b
1c 83 3d 9c aa
[ 7175.553519] PAX: bytes at SP-4:
[ 7175.553532] grsec: denied resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 for
/var/tmp/portage/www-client/chromium-4.0.295.0/work/chromium-4.0.295.0/out/Release/mksnapshot[mksnapshot:22008]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:22006] uid/euid:0/0 gid/egid:0/0



Reproducible: Always

Steps to Reproduce:
1. emerge www-client/chromium-4.0.295.0

Actual Results:  
Pax kills mksnapshot which is built as part of the general build due to
switching a executable bit. I have tried using paxctl to remove the restriction
which does mean I can run that part by hand but then fails later.

Expected Results:  
chromium builds.

emerge --info
Portage 2.1.6.13 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.10.1-r1,
2.6.28-hardened-r9 i686)
=================================================================
System uname:
Linux-2.6.28-hardened-r9-i686-AMD_Athlon-tm-_Dual_Core_Processor_4850e-with-gentoo-1.12.13
Timestamp of tree: Fri, 22 Jan 2010 22:00:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
app-shells/bash:     4.0_p35
dev-java/java-config: 2.1.10
dev-lang/python:     2.6.4
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
/etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms
strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://mirror.qubenet.net/mirror/gentoo/ "
LDFLAGS="-Wl,-O1"
LINGUAS="en_GB en"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi alsa apache2 apm aspell bash-completion
bittorrent bzip2 calendar cddb cdinstall cdparanoia cdr chroot clamav cli
consolekit cracklib crypt css cups cvs cxx dbus dbx dedicated directfb dri dvd
dvdr encode ffmpeg firefox fortran gdbm gif gimp glut gpm hardened hddtemp
iconv java javascript jpeg jpeg2k kde latex log4j mad maildir mbox mhash midi
mmx mmxext mng modules mp3 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly
nsplugin offensive ogg opengl openmp pam pax pcre pdf perl php pic pie png pppd
python qt3support quicktime raw rdesktop readline reflection samba sdl server
session spell spl sql sse sse2 ssh ssl subversion svg svnserve sysfs tcpd tetex
threads tidy tiff truetype udev unicode urandom vcd videos vim-syntax vnc
vorbis webkit win32codecs wmf x264 x86 xine xml xorg xv xvid xvmc zip zlib"
ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter
mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm
authn_default authn_file authz_dbm authz_default authz_groupfile authz_host
authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir
disk_cache env expires ext_filter file_cache filter headers include info
log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling
status unique_id userdir usertrack vhost_alias" ELIBC="glibc"
INPUT_DEVICES="mouse keyboard joystick evdev" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en_GB en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa
nv nvidia v4l"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG,
LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

The solution is to run paxctl -m mksnapshot during the build process (if paxctl is 
present; the absolute path is /sbin/paxctl).
Status: PendingFurtherInfo
Sign in to add a comment