From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Thomas Klausner Newsgroups: gmane.emacs.bugs Subject: bug#23371: emacs: paxctl usage on NetBSD Date: Thu, 28 Apr 2016 00:50:37 +0200 Message-ID: <20160427225037.GQ7662@danbala.tuwien.ac.at> References: <2c48d1df-764e-09a0-5945-05148523b768@cs.ucla.edu> <20160427155442.GN7662@danbala.tuwien.ac.at> <3f6aba54-4f40-817c-24f9-942b033d2289@cs.ucla.edu> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="sClP8c1IaQxyux9v" X-Trace: ger.gmane.org 1461797486 4858 80.91.229.3 (27 Apr 2016 22:51:26 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 27 Apr 2016 22:51:26 +0000 (UTC) Cc: 23371@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Apr 28 00:51:14 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1avYIY-0001Kh-Kj for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2016 00:51:10 +0200 Original-Received: from localhost ([::1]:45700 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1avYIY-00060Z-3I for geb-bug-gnu-emacs@m.gmane.org; Wed, 27 Apr 2016 18:51:10 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35957) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1avYIT-0005vT-De for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2016 18:51:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1avYIQ-00050Y-6H for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2016 18:51:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:38572) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1avYIQ-00050U-2G for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2016 18:51:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1avYIP-0000R7-Tb for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2016 18:51:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Thomas Klausner Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 27 Apr 2016 22:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23371 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 23371-submit@debbugs.gnu.org id=B23371.14617974411652 (code B ref 23371); Wed, 27 Apr 2016 22:51:01 +0000 Original-Received: (at 23371) by debbugs.gnu.org; 27 Apr 2016 22:50:41 +0000 Original-Received: from localhost ([127.0.0.1]:50909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avYI5-0000Qa-37 for submit@debbugs.gnu.org; Wed, 27 Apr 2016 18:50:41 -0400 Original-Received: from danbala.ifoer.tuwien.ac.at ([128.130.168.64]:58720) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1avYI2-0000QQ-M1 for 23371@debbugs.gnu.org; Wed, 27 Apr 2016 18:50:39 -0400 Original-Received: by danbala.ifoer.tuwien.ac.at (Postfix, from userid 116) id 6070DA5A2; Thu, 28 Apr 2016 00:50:37 +0200 (CEST) Content-Disposition: inline In-Reply-To: <3f6aba54-4f40-817c-24f9-942b033d2289@cs.ucla.edu> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:117000 Archived-At: --sClP8c1IaQxyux9v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Apr 27, 2016 at 12:38:53PM -0700, Paul Eggert wrote: > On 04/27/2016 08:54 AM, Thomas Klausner wrote: > >>configure.ac says > >>that paxctl is used only when the operating system is GNU/Linux, unless one > >>manually configures by setting PAXCTL in the environment or using a > >>PAXCTL=/some/path argument to 'configure'. > >That's true, but src/Makefile.in ignores that: > >PAXCTL_if_present = $(or $(PAXCTL),: paxctl) > > I guess I'm still not following. On non-GNU/Linux hosts, $(PAXCTL) should be > empty because paxctl is not searched for, so PAXCTL_if_present should be ': > paxctl', i.e., a no-op shell command. And yet you reported that your build > used 'paxctl -zex' and 'paxctl -r'. Perhaps your build was actually using > the no-ops ': paxctl -zex' and ': paxctl -r' and you didn't notice the > colons? That is, perhaps you replaced ': paxctl -zex' (with a prefix colon) > with 'paxctl +a' (without the colon)? You're right, I didn't do exactly what I described. The build system as-is does not use paxctl on NetBSD, so this breaks when ASLR is enabled. I run the following sed expressions on src/Makefile.in: 's,$$(PAXCTL_if_present) -zex,/usr/sbin/paxctl +a,g' 's,$$(PAXCTL_if_present) -r,/usr/sbin/paxctl +a,g' > >My version is attached (I added some more paxctl's for the symlinks > >when the original version didn't work.) I hope I didn't break it. > > Did it work with your version? No, I just posted it so you can see what I did. > If so, does 'ln' and/or 'mv' remove the mark placed on an executable by > 'paxctl +a'? and if that happens, how does 'make install' avoid removing the > mark in the installed Emacs? > > If not, then I'm afraid I'm lost. All of cp, mv, and ln keep the paxctl settings: # paxctl a PaX flags: a: ASLR, explicit disable # cp a b # paxctl b PaX flags: a: ASLR, explicit disable # ln b c # paxctl c PaX flags: a: ASLR, explicit disable # mv c d # paxctl d PaX flags: a: ASLR, explicit disable I wasn't sure of that, so I added the extra ones, since it wasn't working. It's not necessary, so I removed it again. > Also, I noticed that you removed the indenting on some of the 'ifeq' lines > in src/Makefile.in; why was that necessary? Because the patch didn't apply cleanly, I had to manually apply it, and I didn't indent it correctly, sorry. So perhaps there is a different problem and paxctl is not properly detected or applied even with your patch. Let's look more closely: PAXCTL_dumped value: work/emacs/config.log:PAXCTL_dumped='$(PAXCTL) +a' work/emacs/lib/Makefile:PAXCTL_dumped = $(PAXCTL) +a work/emacs/src/Makefile:PAXCTL_dumped = $(PAXCTL) +a PAXCTL itself: work/emacs/config.log:PAXCTL='/usr/sbin/paxctl' work/emacs/lib/Makefile:PAXCTL = /usr/sbin/paxctl work/emacs/src/Makefile:PAXCTL = /usr/sbin/paxctl But PAXCTL_notdumped is empty. work/emacs/config.status:S["PAXCTL_notdumped"]="" work/emacs/lib/Makefile:PAXCTL_notdumped = work/emacs/src/Makefile:PAXCTL_notdumped = On Linux this uses paxctl -r, which, according to http://man.he.net/man1/paxctl is: -r do not randomize memory regions (NORANDMMAP) While on NetBSD, +a does: a Explicitly disable PaX ASLR (Address Space Layout Randomization) for program. So perhaps notdumped also needs to call paxctl +a, like my sed expressions do. (later) Yes, that's it. I've defined PAXCTL_notdumped to the same value as PAXCTL_dumped and emacs builds fine now -- basically, one additional line to configure.ac in the netbsd case. I'll attach my patches again, just to make it absolutely clear. Thanks, Thomas --sClP8c1IaQxyux9v Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch-configure.ac" $NetBSD$ Problem reported by Thomas Klausner (Bug#23371). * configure.ac (PAXCTL_dumped, PAXCTL_notdumped): New vars. Set them to setfattr and/or paxctl commands appropriate for GNU/Linux and/or NetBSD; the latter prefers paxctl +a. Search for paxctl only if setfattr is not found. * src/Makefile.in (PAXCTL_dumped, PAXCTL_notdumped): New vars, replacing PAXCTL_if_present and SETFATTR_if_present. All uses changed. --- configure.ac.orig 2016-04-22 16:23:52.000000000 +0000 +++ configure.ac @@ -1159,16 +1159,9 @@ AC_PATH_PROG(GZIP_PROG, gzip) test $with_compress_install != yes && test -n "$GZIP_PROG" && \ GZIP_PROG=" # $GZIP_PROG # (disabled by configure --without-compress-install)" +PAXCTL_dumped= +PAXCTL_notdumped= if test $opsys = gnu-linux; then - AC_PATH_PROG(PAXCTL, paxctl,, - [$PATH$PATH_SEPARATOR/sbin$PATH_SEPARATOR/usr/sbin]) - if test "X$PAXCTL" != X; then - AC_MSG_CHECKING([whether binaries have a PT_PAX_FLAGS header]) - AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], - [if $PAXCTL -v conftest$EXEEXT >/dev/null 2>&1; then AC_MSG_RESULT(yes) - else AC_MSG_RESULT(no); PAXCTL=""; fi]) - fi - if test "${SETFATTR+set}" != set; then AC_CACHE_CHECK([for setfattr], [emacs_cv_prog_setfattr], @@ -1179,6 +1172,7 @@ if test $opsys = gnu-linux; then emacs_cv_prog_setfattr=no fi]) if test "$emacs_cv_prog_setfattr" = yes; then + PAXCTL_notdumped='$(SETFATTR) -n user.pax.flags -v er' SETFATTR=setfattr else SETFATTR= @@ -1187,6 +1181,32 @@ if test $opsys = gnu-linux; then AC_SUBST([SETFATTR]) fi fi +case $opsys,$PAXCTL_notdumped in + gnu-linux, | netbsd,) + AC_PATH_PROG([PAXCTL], [paxctl], [], + [$PATH$PATH_SEPARATOR/sbin$PATH_SEPARATOR/usr/sbin]) + if test -n "$PAXCTL"; then + if test "$opsys" = netbsd; then + PAXCTL_dumped='$(PAXCTL) +a' + PAXCTL_notdumped='$(PAXCTL) +a' + else + AC_MSG_CHECKING([whether binaries have a PT_PAX_FLAGS header]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], + [if $PAXCTL -v conftest$EXEEXT >/dev/null 2>&1; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PAXCTL= + fi]) + if test -n "$PAXCTL"; then + PAXCTL_dumped='$(PAXCTL) -zex' + PAXCTL_notdumped='$(PAXCTL) -r' + fi + fi + fi;; +esac +AC_SUBST([PAXCTL_dumped]) +AC_SUBST([PAXCTL_notdumped]) ## Need makeinfo >= 4.7 (?) to build the manuals. if test "$MAKEINFO" != "no"; then --sClP8c1IaQxyux9v Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch-src_Makefile.in" $NetBSD$ Problem reported by Thomas Klausner (Bug#23371). * configure.ac (PAXCTL_dumped, PAXCTL_notdumped): New vars. Set them to setfattr and/or paxctl commands appropriate for GNU/Linux and/or NetBSD; the latter prefers paxctl +a. Search for paxctl only if setfattr is not found. * src/Makefile.in (PAXCTL_dumped, PAXCTL_notdumped): New vars, replacing PAXCTL_if_present and SETFATTR_if_present. All uses changed. --- src/Makefile.in.orig 2016-04-17 20:51:40.000000000 +0000 +++ src/Makefile.in @@ -114,8 +114,9 @@ TEMACS_LDFLAGS = $(LD_SWITCH_SYSTEM) $(L ## around this, newer ones setfattr. See Bug#11398 and Bug#16343. PAXCTL = @PAXCTL@ SETFATTR = @SETFATTR@ -PAXCTL_if_present = $(or $(PAXCTL),: paxctl) -SETFATTR_if_present = $(or $(SETFATTR),: setfattr) +## Commands to set PaX flags on dumped and not-dumped instances of Emacs. +PAXCTL_dumped = @PAXCTL_dumped@ +PAXCTL_notdumped = @PAXCTL_notdumped@ ## Some systems define this to request special libraries. LIBS_SYSTEM=@LIBS_SYSTEM@ @@ -542,8 +543,10 @@ ifeq ($(CANNOT_DUMP),yes) ln -f temacs$(EXEEXT) $@ else LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup dump - $(PAXCTL_if_present) -zex $@ +ifneq ($(PAXCTL_dumped),) + $(PAXCTL_dumped) $@ +endif ln -f $@ bootstrap-emacs$(EXEEXT) endif ## We run make-docfile twice because the command line may get too long @@ -606,8 +612,9 @@ temacs$(EXEEXT): $(LIBXMENU) $(ALLOBJS) -o temacs $(ALLOBJS) $(LIBEGNU_ARCHIVE) $(W32_RES_LINK) $(LIBES) $(MKDIR_P) $(etc) ifneq ($(CANNOT_DUMP),yes) - $(PAXCTL_if_present) -r $@ - $(SETFATTR_if_present) -n user.pax.flags -v er $@ + ifneq ($(PAXCTL_notdumped),) + $(PAXCTL_notdumped) $@ + endif endif ## The following oldxmenu-related rules are only (possibly) used if @@ -748,8 +755,10 @@ ifeq ($(CANNOT_DUMP),yes) ln -f temacs$(EXEEXT) $@ else $(RUN_TEMACS) --batch $(BUILD_DETAILS) --load loadup bootstrap - $(PAXCTL_if_present) -zex emacs$(EXEEXT) +ifneq ($(PAXCTL_dumped),) + $(PAXCTL_dumped) emacs$(EXEEXT) +endif mv -f emacs$(EXEEXT) $@ endif @: Compile some files earlier to speed up further compilation. $(MAKE) -C ../lisp compile-first EMACS="$(bootstrap_exe)" --sClP8c1IaQxyux9v--