From: Thomas Klausner <wiz@NetBSD.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: 23371@debbugs.gnu.org
Subject: bug#23371: emacs: paxctl usage on NetBSD
Date: Thu, 28 Apr 2016 00:50:37 +0200 [thread overview]
Message-ID: <20160427225037.GQ7662@danbala.tuwien.ac.at> (raw)
In-Reply-To: <3f6aba54-4f40-817c-24f9-942b033d2289@cs.ucla.edu>
[-- Attachment #1: Type: text/plain, Size: 3590 bytes --]
On Wed, Apr 27, 2016 at 12:38:53PM -0700, Paul Eggert wrote:
> On 04/27/2016 08:54 AM, Thomas Klausner wrote:
> >>configure.ac says
> >>that paxctl is used only when the operating system is GNU/Linux, unless one
> >>manually configures by setting PAXCTL in the environment or using a
> >>PAXCTL=/some/path argument to 'configure'.
> >That's true, but src/Makefile.in ignores that:
> >PAXCTL_if_present = $(or $(PAXCTL),: paxctl)
>
> I guess I'm still not following. On non-GNU/Linux hosts, $(PAXCTL) should be
> empty because paxctl is not searched for, so PAXCTL_if_present should be ':
> paxctl', i.e., a no-op shell command. And yet you reported that your build
> used 'paxctl -zex' and 'paxctl -r'. Perhaps your build was actually using
> the no-ops ': paxctl -zex' and ': paxctl -r' and you didn't notice the
> colons? That is, perhaps you replaced ': paxctl -zex' (with a prefix colon)
> with 'paxctl +a' (without the colon)?
You're right, I didn't do exactly what I described.
The build system as-is does not use paxctl on NetBSD, so this breaks
when ASLR is enabled. I run the following sed expressions on
src/Makefile.in:
's,$$(PAXCTL_if_present) -zex,/usr/sbin/paxctl +a,g'
's,$$(PAXCTL_if_present) -r,/usr/sbin/paxctl +a,g'
> >My version is attached (I added some more paxctl's for the symlinks
> >when the original version didn't work.) I hope I didn't break it.
>
> Did it work with your version?
No, I just posted it so you can see what I did.
> If so, does 'ln' and/or 'mv' remove the mark placed on an executable by
> 'paxctl +a'? and if that happens, how does 'make install' avoid removing the
> mark in the installed Emacs?
>
> If not, then I'm afraid I'm lost.
All of cp, mv, and ln keep the paxctl settings:
# paxctl a
PaX flags:
a: ASLR, explicit disable
# cp a b
# paxctl b
PaX flags:
a: ASLR, explicit disable
# ln b c
# paxctl c
PaX flags:
a: ASLR, explicit disable
# mv c d
# paxctl d
PaX flags:
a: ASLR, explicit disable
I wasn't sure of that, so I added the extra ones, since it wasn't
working. It's not necessary, so I removed it again.
> Also, I noticed that you removed the indenting on some of the 'ifeq' lines
> in src/Makefile.in; why was that necessary?
Because the patch didn't apply cleanly, I had to manually apply it,
and I didn't indent it correctly, sorry.
So perhaps there is a different problem and paxctl is not properly
detected or applied even with your patch. Let's look more closely:
PAXCTL_dumped value:
work/emacs/config.log:PAXCTL_dumped='$(PAXCTL) +a'
work/emacs/lib/Makefile:PAXCTL_dumped = $(PAXCTL) +a
work/emacs/src/Makefile:PAXCTL_dumped = $(PAXCTL) +a
PAXCTL itself:
work/emacs/config.log:PAXCTL='/usr/sbin/paxctl'
work/emacs/lib/Makefile:PAXCTL = /usr/sbin/paxctl
work/emacs/src/Makefile:PAXCTL = /usr/sbin/paxctl
But PAXCTL_notdumped is empty.
work/emacs/config.status:S["PAXCTL_notdumped"]=""
work/emacs/lib/Makefile:PAXCTL_notdumped =
work/emacs/src/Makefile:PAXCTL_notdumped =
On Linux this uses paxctl -r, which, according to
http://man.he.net/man1/paxctl is:
-r do not randomize memory regions (NORANDMMAP)
While on NetBSD, +a does:
a Explicitly disable PaX ASLR (Address Space Layout Randomization)
for program.
So perhaps notdumped also needs to call paxctl +a, like my sed
expressions do.
(later)
Yes, that's it. I've defined PAXCTL_notdumped to the same value as
PAXCTL_dumped and emacs builds fine now -- basically, one additional
line to configure.ac in the netbsd case.
I'll attach my patches again, just to make it absolutely clear.
Thanks,
Thomas
[-- Attachment #2: patch-configure.ac --]
[-- Type: text/plain, Size: 2445 bytes --]
$NetBSD$
Problem reported by Thomas Klausner (Bug#23371).
* configure.ac (PAXCTL_dumped, PAXCTL_notdumped): New vars.
Set them to setfattr and/or paxctl commands appropriate for
GNU/Linux and/or NetBSD; the latter prefers paxctl +a. Search
for paxctl only if setfattr is not found.
* src/Makefile.in (PAXCTL_dumped, PAXCTL_notdumped):
New vars, replacing PAXCTL_if_present and SETFATTR_if_present.
All uses changed.
--- configure.ac.orig 2016-04-22 16:23:52.000000000 +0000
+++ configure.ac
@@ -1159,16 +1159,9 @@ AC_PATH_PROG(GZIP_PROG, gzip)
test $with_compress_install != yes && test -n "$GZIP_PROG" && \
GZIP_PROG=" # $GZIP_PROG # (disabled by configure --without-compress-install)"
+PAXCTL_dumped=
+PAXCTL_notdumped=
if test $opsys = gnu-linux; then
- AC_PATH_PROG(PAXCTL, paxctl,,
- [$PATH$PATH_SEPARATOR/sbin$PATH_SEPARATOR/usr/sbin])
- if test "X$PAXCTL" != X; then
- AC_MSG_CHECKING([whether binaries have a PT_PAX_FLAGS header])
- AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
- [if $PAXCTL -v conftest$EXEEXT >/dev/null 2>&1; then AC_MSG_RESULT(yes)
- else AC_MSG_RESULT(no); PAXCTL=""; fi])
- fi
-
if test "${SETFATTR+set}" != set; then
AC_CACHE_CHECK([for setfattr],
[emacs_cv_prog_setfattr],
@@ -1179,6 +1172,7 @@ if test $opsys = gnu-linux; then
emacs_cv_prog_setfattr=no
fi])
if test "$emacs_cv_prog_setfattr" = yes; then
+ PAXCTL_notdumped='$(SETFATTR) -n user.pax.flags -v er'
SETFATTR=setfattr
else
SETFATTR=
@@ -1187,6 +1181,32 @@ if test $opsys = gnu-linux; then
AC_SUBST([SETFATTR])
fi
fi
+case $opsys,$PAXCTL_notdumped in
+ gnu-linux, | netbsd,)
+ AC_PATH_PROG([PAXCTL], [paxctl], [],
+ [$PATH$PATH_SEPARATOR/sbin$PATH_SEPARATOR/usr/sbin])
+ if test -n "$PAXCTL"; then
+ if test "$opsys" = netbsd; then
+ PAXCTL_dumped='$(PAXCTL) +a'
+ PAXCTL_notdumped='$(PAXCTL) +a'
+ else
+ AC_MSG_CHECKING([whether binaries have a PT_PAX_FLAGS header])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
+ [if $PAXCTL -v conftest$EXEEXT >/dev/null 2>&1; then
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ PAXCTL=
+ fi])
+ if test -n "$PAXCTL"; then
+ PAXCTL_dumped='$(PAXCTL) -zex'
+ PAXCTL_notdumped='$(PAXCTL) -r'
+ fi
+ fi
+ fi;;
+esac
+AC_SUBST([PAXCTL_dumped])
+AC_SUBST([PAXCTL_notdumped])
## Need makeinfo >= 4.7 (?) to build the manuals.
if test "$MAKEINFO" != "no"; then
[-- Attachment #3: patch-src_Makefile.in --]
[-- Type: text/plain, Size: 2169 bytes --]
$NetBSD$
Problem reported by Thomas Klausner (Bug#23371).
* configure.ac (PAXCTL_dumped, PAXCTL_notdumped): New vars.
Set them to setfattr and/or paxctl commands appropriate for
GNU/Linux and/or NetBSD; the latter prefers paxctl +a. Search
for paxctl only if setfattr is not found.
* src/Makefile.in (PAXCTL_dumped, PAXCTL_notdumped):
New vars, replacing PAXCTL_if_present and SETFATTR_if_present.
All uses changed.
--- src/Makefile.in.orig 2016-04-17 20:51:40.000000000 +0000
+++ src/Makefile.in
@@ -114,8 +114,9 @@ TEMACS_LDFLAGS = $(LD_SWITCH_SYSTEM) $(L
## around this, newer ones setfattr. See Bug#11398 and Bug#16343.
PAXCTL = @PAXCTL@
SETFATTR = @SETFATTR@
-PAXCTL_if_present = $(or $(PAXCTL),: paxctl)
-SETFATTR_if_present = $(or $(SETFATTR),: setfattr)
+## Commands to set PaX flags on dumped and not-dumped instances of Emacs.
+PAXCTL_dumped = @PAXCTL_dumped@
+PAXCTL_notdumped = @PAXCTL_notdumped@
## Some systems define this to request special libraries.
LIBS_SYSTEM=@LIBS_SYSTEM@
@@ -542,8 +543,10 @@ ifeq ($(CANNOT_DUMP),yes)
ln -f temacs$(EXEEXT) $@
else
LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup dump
- $(PAXCTL_if_present) -zex $@
+ifneq ($(PAXCTL_dumped),)
+ $(PAXCTL_dumped) $@
+endif
ln -f $@ bootstrap-emacs$(EXEEXT)
endif
## We run make-docfile twice because the command line may get too long
@@ -606,8 +612,9 @@ temacs$(EXEEXT): $(LIBXMENU) $(ALLOBJS)
-o temacs $(ALLOBJS) $(LIBEGNU_ARCHIVE) $(W32_RES_LINK) $(LIBES)
$(MKDIR_P) $(etc)
ifneq ($(CANNOT_DUMP),yes)
- $(PAXCTL_if_present) -r $@
- $(SETFATTR_if_present) -n user.pax.flags -v er $@
+ ifneq ($(PAXCTL_notdumped),)
+ $(PAXCTL_notdumped) $@
+ endif
endif
## The following oldxmenu-related rules are only (possibly) used if
@@ -748,8 +755,10 @@ ifeq ($(CANNOT_DUMP),yes)
ln -f temacs$(EXEEXT) $@
else
$(RUN_TEMACS) --batch $(BUILD_DETAILS) --load loadup bootstrap
- $(PAXCTL_if_present) -zex emacs$(EXEEXT)
+ifneq ($(PAXCTL_dumped),)
+ $(PAXCTL_dumped) emacs$(EXEEXT)
+endif
mv -f emacs$(EXEEXT) $@
endif
@: Compile some files earlier to speed up further compilation.
$(MAKE) -C ../lisp compile-first EMACS="$(bootstrap_exe)"
next prev parent reply other threads:[~2016-04-27 22:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 12:09 bug#23371: emacs: paxctl usage on NetBSD Thomas Klausner
2016-04-26 0:09 ` Paul Eggert
2016-04-27 15:54 ` Thomas Klausner
2016-04-27 19:38 ` Paul Eggert
2016-04-27 22:50 ` Thomas Klausner [this message]
2016-04-27 23:08 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160427225037.GQ7662@danbala.tuwien.ac.at \
--to=wiz@netbsd.org \
--cc=23371@debbugs.gnu.org \
--cc=eggert@cs.ucla.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).