Re: PaX mprotect vs. g-ir-scanner (gjs)

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: PaX mprotect vs. g-ir-scanner (gjs)
From: Thomas Klausner <wiz%NetBSD.org@localhost>
Date: Sun, 26 Apr 2020 18:52:58 +0200

On Mon, Apr 06, 2020 at 08:13:43PM -0400, Greg Troxel wrote:
> Thomas Klausner <wiz%NetBSD.org@localhost> writes:
> 
> > I've tried updating lang/gjs to the latest version, which uses
> > mozjs68, the JavaScript engine from firefox68. I haved added the
> > update to wip/gjs.
> >
> > This engine is not PaX mprotect safe.
> >
> > I can work around this for a test in the configure step, but in the
> > build step, g-ir-scanner is run to generate the *.typelib files for
> > introspection, and that tries to load the library (AFAIU), and then
> > fails.
> >
> > g-ir-scanner is a Python program.
> >
> > The only workaround I can think of is marking python itself with
> > 'paxctl +m'. Or, of course, fixing the JavaScript engine.
> 
> I wonder if it is possible to have some way to make a single instance of
> a binary marked not for mprotect.   One kludge would be to copy the
> python interpreter into the buildlink tree, paxctl it, and then run it,
> instead of the one in ${PREFIX}/bin.

I kludget this together in wip/gjs.

However, it's not enough. My best guess is that g-ir-scanner runs
something which would need to be marked with 'paxctl +m' as well.

Does anyone know enough about g-ir-scanner to help with this?
 Thomas

References:
- PaX mprotect vs. g-ir-scanner (gjs)
  - From: Thomas Klausner
- Re: PaX mprotect vs. g-ir-scanner (gjs)
  - From: Greg Troxel

Prev by Date: daily pkgsrc CVS update output
Next by Date: Portable way for testing listening sockets
Previous by Thread: Re: PaX mprotect vs. g-ir-scanner (gjs)
Next by Thread: Announcing the pkgsrc-2020Q1 release
Indexes:

Home | Main Index | Thread Index | Old Index