commit: 3e4294ea80a70435fa09c3579da81c428fa15efc Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Nov 20 19:16:17 2020 +0000 Commit: William Hubbs <williamh <AT> gentoo <DOT> org> CommitDate: Fri Nov 20 20:23:32 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e4294ea
net-libs/nodejs: restore PaX support Reverts: 19add7ba6500e6c60c8699b6bdda397744dfa73b Bug: https://bugs.gentoo.org/735832 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Sam James <sam <AT> gentoo.org> Signed-off-by: William Hubbs <williamh <AT> gentoo.org> .../nodejs/files/nodejs-13.2.0-paxmarking.patch | 71 +++++++++++++ .../nodejs/files/nodejs-13.8.0-paxmarking.patch | 111 +++++++++++++++++++++ net-libs/nodejs/metadata.xml | 3 +- net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 5 +- net-libs/nodejs/nodejs-12.19.1.ebuild | 5 +- net-libs/nodejs/nodejs-14.2.0.ebuild | 10 +- net-libs/nodejs/nodejs-99999999.ebuild | 10 +- 7 files changed, 208 insertions(+), 7 deletions(-) diff --git a/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch b/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch new file mode 100644 index 00000000000..1061255e163 --- /dev/null +++ b/net-libs/nodejs/files/nodejs-13.2.0-paxmarking.patch @@ -0,0 +1,71 @@ + Bug: 694100 + Add actions for pax marking mkcodecache and node_mksnapshot + to disable mprotect for pax enable kernel. + Reported-by: Attila Tóth <[email protected]> + Co-developed-by: Attila Tóth <[email protected]> + Signed-off-by: Magnus Granberg <[email protected]> + +--- a/node.gyp 2019-10-23 11:52:41.000000000 +0200 ++++ a/node.gyp 2019-11-12 20:58:43.957881862 +0100 +@@ -233,7 +233,9 @@ + 'deps/acorn-plugins/acorn-static-class-features/index.js', + ], + 'node_mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot<(EXECUTABLE_SUFFIX)', ++ 'node_mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot_u<(EXECUTABLE_SUFFIX)', + 'mkcodecache_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache<(EXECUTABLE_SUFFIX)', ++ 'mkcodecache_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache_u<(EXECUTABLE_SUFFIX)', + 'conditions': [ + [ 'node_shared=="true"', { + 'node_target_type%': 'shared_library', +@@ -436,10 +438,24 @@ + ], + 'actions': [ + { ++ 'action_name': 'run_pax_mkcodecache', ++ 'inputs': [ ++ '<(mkcodecache_exec)', ++ ], ++ 'outputs': [ ++ '<(mkcodecache_u_exec)', ++ ], ++ 'action': [ ++ 'bash', ++ '-c', ++ 'mv <(mkcodecache_exec) <(mkcodecache_u_exec) && paxmark.sh m <(mkcodecache_u_exec)', ++ ], ++ }, ++ { + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ +- '<(mkcodecache_exec)', ++ '<(mkcodecache_u_exec)', + ], + 'outputs': [ + '<(SHARED_INTERMEDIATE_DIR)/node_code_cache.cc', +@@ -461,10 +477,24 @@ + ], + 'actions': [ + { ++ 'action_name': 'run_pax_mksnapshot', ++ 'inputs': [ ++ '<(node_mksnapshot_exec)', ++ ], ++ 'outputs': [ ++ '<(node_mksnapshot_u_exec)', ++ ], ++ 'action': [ ++ 'bash', ++ '-c', ++ 'mv <(node_mksnapshot_exec) <(node_mksnapshot_u_exec) && paxmark.sh m <(node_mksnapshot_u_exec)', ++ ], ++ }, ++ { + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ +- '<(node_mksnapshot_exec)', ++ '<(node_mksnapshot_u_exec)', + ], + 'outputs': [ + '<(SHARED_INTERMEDIATE_DIR)/node_snapshot.cc', diff --git a/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch b/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch new file mode 100644 index 00000000000..8dbf5f43d48 --- /dev/null +++ b/net-libs/nodejs/files/nodejs-13.8.0-paxmarking.patch @@ -0,0 +1,111 @@ + Bug: 694100 + Add actions for pax marking mkcodecache, node_mksnapshot and mksnapshot + to disable mprotect for pax enable kernel. + Reported-by: Attila Tóth <[email protected]> + Co-developed-by: Attila Tóth <[email protected]> + Signed-off-by: Magnus Granberg <[email protected]> + +--- a/node.gyp 2019-10-23 11:52:41.000000000 +0200 ++++ b/node.gyp 2019-11-12 20:58:43.957881862 +0100 +@@ -233,7 +233,9 @@ + 'deps/acorn-plugins/acorn-static-class-features/index.js', + ], + 'node_mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot<(EXECUTABLE_SUFFIX)', ++ 'node_mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)node_mksnapshot_u<(EXECUTABLE_SUFFIX)', + 'mkcodecache_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache<(EXECUTABLE_SUFFIX)', ++ 'mkcodecache_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mkcodecache_u<(EXECUTABLE_SUFFIX)', + 'conditions': [ + [ 'node_shared=="true"', { + 'node_target_type%': 'shared_library', +@@ -436,10 +438,24 @@ + ], + 'actions': [ + { ++ 'action_name': 'run_pax_mkcodecache', ++ 'inputs': [ ++ '<(mkcodecache_exec)', ++ ], ++ 'outputs': [ ++ '<(mkcodecache_u_exec)', ++ ], ++ 'action': [ ++ 'bash', ++ '-c', ++ 'mv <(mkcodecache_exec) <(mkcodecache_u_exec) && paxmark.sh m <(mkcodecache_u_exec)', ++ ], ++ }, ++ { + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ +- '<(mkcodecache_exec)', ++ '<(mkcodecache_u_exec)', + ], + 'outputs': [ + '<(SHARED_INTERMEDIATE_DIR)/node_code_cache.cc', +@@ -461,10 +477,24 @@ + ], + 'actions': [ + { ++ 'action_name': 'run_pax_mksnapshot', ++ 'inputs': [ ++ '<(node_mksnapshot_exec)', ++ ], ++ 'outputs': [ ++ '<(node_mksnapshot_u_exec)', ++ ], ++ 'action': [ ++ 'bash', ++ '-c', ++ 'mv <(node_mksnapshot_exec) <(node_mksnapshot_u_exec) && paxmark.sh m <(node_mksnapshot_u_exec)', ++ ], ++ }, ++ { + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ +- '<(node_mksnapshot_exec)', ++ '<(node_mksnapshot_u_exec)', + ], + 'outputs': [ + '<(SHARED_INTERMEDIATE_DIR)/node_snapshot.cc', +--- a/tools/v8_gypfiles/v8.gyp 2019-12-03 16:10:36.000000000 +0100 ++++ b/tools/v8_gypfiles/v8.gyp 2019-12-17 18:37:33.695839254 +0100 +@@ -9,6 +9,7 @@ + 'v8_vector_stores%': 0, + 'v8_embed_script%': "", + 'mksnapshot_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot<(EXECUTABLE_SUFFIX)', ++ 'mksnapshot_u_exec': '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)mksnapshot_u<(EXECUTABLE_SUFFIX)', + 'v8_os_page_size%': 0, + 'generate_bytecode_output_root': '<(SHARED_INTERMEDIATE_DIR)/generate-bytecode-output-root', + 'generate_bytecode_builtins_list_output': '<(generate_bytecode_output_root)/builtins-generated/bytecodes-builtins-list.h', +@@ -427,6 +425,20 @@ + }, + 'actions': [ + { ++ 'action_name': 'run_pax_mksnapshot', ++ 'inputs': [ ++ '<(mksnapshot_exec)', ++ ], ++ 'outputs': [ ++ '<(mksnapshot_u_exec)', ++ ], ++ 'action': [ ++ 'bash', ++ '-c', ++ 'mv <(mksnapshot_exec) <(mksnapshot_u_exec) && paxmark.sh m <(mksnapshot_u_exec)', ++ ], ++ }, ++ { + 'action_name': 'run_mksnapshot', + 'message': 'generating: >@(_outputs)', + 'variables': { +@@ -442,7 +454,7 @@ + ], + }, + 'inputs': [ +- '<(mksnapshot_exec)', ++ '<(mksnapshot_u_exec)', + ], + 'outputs': ["<(INTERMEDIATE_DIR)/snapshot.cc"], + 'process_outputs_as_sources': 1, diff --git a/net-libs/nodejs/metadata.xml b/net-libs/nodejs/metadata.xml index 1f2cfaf97be..f7299ab330d 100644 --- a/net-libs/nodejs/metadata.xml +++ b/net-libs/nodejs/metadata.xml @@ -3,7 +3,7 @@ <pkgmetadata> <maintainer type="person"> <email>[email protected]</email> - <name>William Hubbs</name> + <name>William Hubbs</name> </maintainer> <maintainer type="person"> <email>[email protected]</email> @@ -13,6 +13,7 @@ <use> <flag name="inspector">Enable V8 inspector</flag> <flag name="npm">Enable NPM package manager</flag> + <flag name="pax_kernel">Enable building under a PaX enabled kernel</flag> <flag name="snapshot">Enable snapshot creation for faster startup</flag> <flag name="system-icu">Use system <pkg>dev-libs/icu</pkg> instead of the bundled version</flag> <flag name="system-ssl">Use system OpenSSL instead of the bundled one</flag> diff --git a/net-libs/nodejs/nodejs-12.18.4-r1.ebuild b/net-libs/nodejs/nodejs-12.18.4-r1.ebuild index bbdc7bd8dd9..c606807087a 100644 --- a/net-libs/nodejs/nodejs-12.18.4-r1.ebuild +++ b/net-libs/nodejs/nodejs-12.18.4-r1.ebuild @@ -4,7 +4,7 @@ EAPI=7 PYTHON_COMPAT=( python3_{6,7} ) PYTHON_REQ_USE="threads(+)" -inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils +inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine" HOMEPAGE="https://nodejs.org/"; @@ -139,6 +139,7 @@ src_configure() { src_compile() { emake -C out mksnapshot + pax-mark m "out/${BUILDTYPE}/mksnapshot" emake -C out } @@ -146,6 +147,8 @@ src_install() { local LIBDIR="${ED}/usr/$(get_libdir)" default + pax-mark -m "${ED}"/usr/bin/node + # set up a symlink structure that node-gyp expects.. dodir /usr/include/node/deps/{v8,uv} dosym . /usr/include/node/src diff --git a/net-libs/nodejs/nodejs-12.19.1.ebuild b/net-libs/nodejs/nodejs-12.19.1.ebuild index 613432efea3..bb763d423aa 100644 --- a/net-libs/nodejs/nodejs-12.19.1.ebuild +++ b/net-libs/nodejs/nodejs-12.19.1.ebuild @@ -6,7 +6,7 @@ EAPI=7 PYTHON_COMPAT=( python3_{6..8} ) PYTHON_REQ_USE="threads(+)" -inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils +inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine" HOMEPAGE="https://nodejs.org/"; @@ -141,6 +141,7 @@ src_configure() { src_compile() { emake -C out mksnapshot + pax-mark m "out/${BUILDTYPE}/mksnapshot" emake -C out } @@ -148,6 +149,8 @@ src_install() { local LIBDIR="${ED}/usr/$(get_libdir)" default + pax-mark -m "${ED}"/usr/bin/node + # set up a symlink structure that node-gyp expects.. dodir /usr/include/node/deps/{v8,uv} dosym . /usr/include/node/src diff --git a/net-libs/nodejs/nodejs-14.2.0.ebuild b/net-libs/nodejs/nodejs-14.2.0.ebuild index 4b3509f8db3..47e27f90889 100644 --- a/net-libs/nodejs/nodejs-14.2.0.ebuild +++ b/net-libs/nodejs/nodejs-14.2.0.ebuild @@ -4,7 +4,7 @@ EAPI=7 PYTHON_COMPAT=( python3_{6,7,8} ) PYTHON_REQ_USE="threads(+)" -inherit bash-completion-r1 flag-o-matic python-any-r1 toolchain-funcs xdg-utils +inherit bash-completion-r1 flag-o-matic pax-utils python-any-r1 toolchain-funcs xdg-utils DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine" HOMEPAGE="https://nodejs.org/"; @@ -15,7 +15,7 @@ SRC_URI=" LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT" SLOT="0" KEYWORDS="ppc" -IUSE="cpu_flags_x86_sse2 debug doc icu inspector +npm +snapshot +ssl +system-ssl systemtap test" +IUSE="cpu_flags_x86_sse2 debug doc icu inspector +npm pax_kernel +snapshot +ssl +system-ssl systemtap test" REQUIRED_USE=" inspector? ( icu ssl ) npm? ( ssl ) @@ -35,6 +35,7 @@ BDEPEND=" sys-apps/coreutils systemtap? ( dev-util/systemtap ) test? ( net-misc/curl ) + pax_kernel? ( sys-apps/elfix ) " DEPEND=" ${RDEPEND} @@ -88,6 +89,9 @@ src_prepare() { BUILDTYPE=Debug fi + # We need to disable mprotect on two files when it builds Bug 694100. + use pax_kernel && PATCHES+=( "${FILESDIR}"/${PN}-13.8.0-paxmarking.patch ) + default } @@ -137,6 +141,8 @@ src_install() { local LIBDIR="${ED}/usr/$(get_libdir)" default + pax-mark -m "${ED}"/usr/bin/node + # set up a symlink structure that node-gyp expects.. dodir /usr/include/node/deps/{v8,uv} dosym . /usr/include/node/src diff --git a/net-libs/nodejs/nodejs-99999999.ebuild b/net-libs/nodejs/nodejs-99999999.ebuild index 65d30862d4c..e7a2c7c7eb9 100644 --- a/net-libs/nodejs/nodejs-99999999.ebuild +++ b/net-libs/nodejs/nodejs-99999999.ebuild @@ -4,7 +4,7 @@ EAPI=7 PYTHON_COMPAT=( python3_{6,7,8} ) PYTHON_REQ_USE="threads(+)" -inherit bash-completion-r1 flag-o-matic git-r3 python-any-r1 toolchain-funcs xdg-utils +inherit bash-completion-r1 flag-o-matic git-r3 pax-utils python-any-r1 toolchain-funcs xdg-utils DESCRIPTION="A JavaScript runtime built on Chrome's V8 JavaScript engine" HOMEPAGE="https://nodejs.org/"; @@ -13,7 +13,7 @@ EGIT_REPO_URI="https://github.com/nodejs/node"; LICENSE="Apache-1.1 Apache-2.0 BSD BSD-2 MIT" SLOT="0" KEYWORDS="" -IUSE="cpu_flags_x86_sse2 debug doc +icu inspector +npm +snapshot +ssl +system-ssl systemtap test" +IUSE="cpu_flags_x86_sse2 debug doc +icu inspector +npm pax_kernel +snapshot +ssl +system-ssl systemtap test" RESTRICT="!test? ( test )" REQUIRED_USE=" inspector? ( icu ssl ) @@ -35,6 +35,7 @@ BDEPEND=" sys-apps/coreutils systemtap? ( dev-util/systemtap ) test? ( net-misc/curl ) + pax_kernel? ( sys-apps/elfix ) " DEPEND=" ${RDEPEND} @@ -83,6 +84,9 @@ src_prepare() { BUILDTYPE=Debug fi + # We need to disable mprotect on two files when it builds Bug 694100. + use pax_kernel && PATCHES+=( "${FILESDIR}"/${PN}-13.2.0-paxmarking.patch ) + default } @@ -136,6 +140,8 @@ src_install() { local LIBDIR="${ED}/usr/$(get_libdir)" default + pax-mark -m "${ED}"/usr/bin/node + # set up a symlink structure that node-gyp expects.. dodir /usr/include/node/deps/{v8,uv} dosym . /usr/include/node/src
