[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-pkg
Subject:    Re: PaX mprotect vs. g-ir-scanner (gjs)
From:       Thomas Klausner <wiz () NetBSD ! org>
Date:       2020-04-26 16:52:58
Message-ID: 20200426165258.ctl5q22y7arajaod () danbala
[Download RAW message or body]

On Mon, Apr 06, 2020 at 08:13:43PM -0400, Greg Troxel wrote:
> Thomas Klausner <wiz@NetBSD.org> writes:
> 
> > I've tried updating lang/gjs to the latest version, which uses
> > mozjs68, the JavaScript engine from firefox68. I haved added the
> > update to wip/gjs.
> >
> > This engine is not PaX mprotect safe.
> >
> > I can work around this for a test in the configure step, but in the
> > build step, g-ir-scanner is run to generate the *.typelib files for
> > introspection, and that tries to load the library (AFAIU), and then
> > fails.
> >
> > g-ir-scanner is a Python program.
> >
> > The only workaround I can think of is marking python itself with
> > 'paxctl +m'. Or, of course, fixing the JavaScript engine.
> 
> I wonder if it is possible to have some way to make a single instance of
> a binary marked not for mprotect.   One kludge would be to copy the
> python interpreter into the buildlink tree, paxctl it, and then run it,
> instead of the one in ${PREFIX}/bin.

I kludget this together in wip/gjs.

However, it's not enough. My best guess is that g-ir-scanner runs
something which would need to be marked with 'paxctl +m' as well.

Does anyone know enough about g-ir-scanner to help with this?
 Thomas
[prev in list] [next in list] [prev in thread] [next in thread]