GRSecurity/PaX compatibility #3653
Conversation
| # Warn if we couldn't read /proc. | ||
| if [ -z "$GRSEC_DETECTED" -a ! -r /proc/sys/kernel ] | ||
| then | ||
| warn "could not read /proc/sys/kernel: GRSecurity detection might be incorrect" |
There was a problem hiding this comment.
I'm not entirely clear on this: Will this warning be printed even on systems without grsec if /proc/sys/kernel is unreadable?
There was a problem hiding this comment.
Yes, because if you can't read /proc/sys/kernel, you also can't determine if /proc/sys/kernel/grsecurity exists.
There was a problem hiding this comment.
It makes me wonder if trying to enable PaX by default is really a good idea. Do other projects actually try to do this? (I've never seen such warnings when building various software on non-grsec kernels, hence me asking.)
There was a problem hiding this comment.
Hmm, perhaps the warning may be a bit superfluous; most projects don't need special measures, because they don't do silly things -- LLVM does however. Other opinions on whether to show warnings?
There was a problem hiding this comment.
In fact, we can remove this warning, as, contrary to what I believed, under GRSecurity you actually can access /proc/sys/kernel just fine as non-root non-CONFIG_GRKERNSEC_PROC_GID user.
|
It may be worth doing some OS detection magic so the code doesn't try to find grsec on e.g. Windows, OS X, and FreeBSD. |
|
Removed warnings, it will now just show the detection status. |
…add GRSecurity autodetection code to configure.
|
Rebased everything into one commit for clarity. |
|
Thanks! |
Fix futex with large timeout ICE Fixes rust-lang#3647. This PR changed the type of ``nanoseconds`` from ``u64`` to ``u128``. In ``duration_since``, nanoseconds is manually converted to second by dividing it with 1e9. But overflow is still possible.
This patch adds GRSecurity compatibility to the Rust build process, fixing issues #1708 and #3641.
It adds an extra flag to ./configure called
--enable-pax-marks, which will lead to the application of the PaX MPROTECT disable flag on all retrieved and compiled rustc binaries. This requires thepaxctlbinary to be installed.Additionally, the configure process has been altered to attempt to automatically detect a running GRSecurity kernel and set aforementioned option as a result, unless
--disable-pax-markshas been explicitly passed as a ./configure flag.