tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: PaX mprotect vs. g-ir-scanner (gjs)

On Mon, Apr 06, 2020 at 08:13:43PM -0400, Greg Troxel wrote:
> Thomas Klausner <> writes:
> > I've tried updating lang/gjs to the latest version, which uses
> > mozjs68, the JavaScript engine from firefox68. I haved added the
> > update to wip/gjs.
> >
> > This engine is not PaX mprotect safe.
> >
> > I can work around this for a test in the configure step, but in the
> > build step, g-ir-scanner is run to generate the *.typelib files for
> > introspection, and that tries to load the library (AFAIU), and then
> > fails.
> >
> > g-ir-scanner is a Python program.
> >
> > The only workaround I can think of is marking python itself with
> > 'paxctl +m'. Or, of course, fixing the JavaScript engine.
> I wonder if it is possible to have some way to make a single instance of
> a binary marked not for mprotect.   One kludge would be to copy the
> python interpreter into the buildlink tree, paxctl it, and then run it,
> instead of the one in ${PREFIX}/bin.

I kludget this together in wip/gjs.

However, it's not enough. My best guess is that g-ir-scanner runs
something which would need to be marked with 'paxctl +m' as well.

Does anyone know enough about g-ir-scanner to help with this?

Home | Main Index | Thread Index | Old Index