On 06/07/14 17:48, "Tóth Attila" wrote:
2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta:
Some time ago I noticed this in kernel logs:
kern.alert: grsec: denied RWX mmap of <anonymous mapping> by
/usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0
Looks like it doesn't break layman, but I still wonder why it happens and
is it possible to fix this (without paxmarking python, of course)?
I don't see this in my logs. The python executable has the "E" flag on my
systems.
Dw.
Okay I need to document this loudly --- not sure how to do that except
to just keep repeating it until it becomes public knowledge:
When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
default and the ebuild automatically does the markings for you, so leave
the defaults alone.
If you don't, python apps will hit rwx mmap denials by the pax kernel.
Things like libffi try to work around this by spitting out little
snippets of code to the filesystem when the mmap fails; but, if you have
strict TPE on, even this workaround fails and you get a pretty dead
system (all python apps badly crippled). There are various ways around
this but we've settled on the EMUTRAMP solution. See
https://bugs.gentoo.org/show_bug.cgi?id=484472
So my appologize everyone, we should do a better job at getting this
information out. mea culpa.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
