From owner-freebsd-stable@freebsd.org Fri Jan 15 02:58:22 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 899DAA83535 for ; Fri, 15 Jan 2016 02:58:22 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1779B1DEC for ; Fri, 15 Jan 2016 02:58:22 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3phRyy4BbPz13x for ; Fri, 15 Jan 2016 03:58:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1452826695; x=1455418696; bh=f0X LX9Si0y+vlkMi8TGsjIlsrIPCzATsTwZK020v104=; b=ZuP1M7SqJ6u3UEI8vbN G2zNXYq1ZDrIUoma+E4qdDdPpJhWaCN3N/OA1hNS+Mf2iWYRarP+2+Vt83F3PmRd 76C0sEzFvakUE8u7sX+61KEDpmt3olQGYTgL3mIW94fNPmu/H16GipbXuQ8MjlKJ WciXbkfPB0tLo0/Nfi4hVu+M= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id 8dYgW7oxsl14 for ; Fri, 15 Jan 2016 03:58:15 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3phRyv44pRz13w for ; Fri, 15 Jan 2016 03:58:15 +0100 (CET) Received: from nabiralnik.ijs.si (nabiralnik.ijs.si [IPv6:2001:1470:ff80::80:16]) by mildred.ijs.si (Postfix) with ESMTP id 3phRyt1M0Xztc for ; Fri, 15 Jan 2016 03:58:14 +0100 (CET) Received: from sleepy.ijs.si (2001:1470:ff80:e001::1:1) by webmail.ijs.si with HTTP (HTTP/1.1 POST); Fri, 15 Jan 2016 03:58:14 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 15 Jan 2016 03:58:14 +0100 From: Mark Martinec To: freebsd-stable@freebsd.org Subject: Re: A recent 10.2-STABLE no longer builds on a no-exec /usr/src file system Organization: Jozef Stefan Institute In-Reply-To: <56981DA4.30402@FreeBSD.org> References: <636a770981c5655f3cc45f2c6aee6474@mailbox.ijs.si> <56575324.9070400@quip.cz> <484e5e28706f1d717bcd02542e7ba306@mailbox.ijs.si> <56981DA4.30402@FreeBSD.org> Message-ID: <8c27af875f9af7b0ae85c433c821e2fd@mailbox.ijs.si> X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.1.4 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jan 2016 02:58:22 -0000 On 2016-01-14 23:13, Bryan Drewery wrote: > Where / What is the error? > > The only example here was fixed in November. Here is how a fresh svn checkout on a 10-stable fails in make buildworld when /usr/src is noexec : CC='cc ' mkdep -f .depend.getprotoent_test -a -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd -I/usr/src/contrib/netbsd-tests -std=gnu99 /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> .depend.getprotoent_test (cd /usr/src/lib/libc/tests/net && NO_SUBDIR=1 make -f /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test .MAKE.DEPENDFILE=.depend.ether_aton_test depend) /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c make[7]: exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) failed (Permission denied) *** Error code 1 Stop. make[7]: stopped in /usr/src/lib/libc/tests/net *** Error code 1 Stop. make[6]: stopped in /usr/src/lib/libc/tests/net *** Error code 1 Stop. make[5]: stopped in /usr/src/lib/libc/tests *** Error code 1 Stop. make[4]: stopped in /usr/src/lib/libc *** Error code 1 Stop. make[3]: stopped in /usr/src/lib *** Error code 1 [...] The net/gen_ether_subr looks like the same culprit as reported in 2015-11-26. Actually ... it seems that taking out the WITH_TESTS="yes" from /etc/make.conf avoids the problem - although this was not necessary in 10.2-RELEASE, as far as I can tell. Mark > On 1/14/2016 7:42 AM, Mark Martinec wrote: >> Prompted by recent security advisories I did a 'make buildworld' >> on a fresh svn checkout, only to find out that it seems the 'exec' >> mount flag on /usr/src is still required for a successful build. >> >> This wasn't so for 10.2, and I hope it won't become a requirement >> in 10.3 - or at least it should be clearly documented in release >> notes. >> >> Mark >> >> >> On 2015-12-07 16:35, Mark Martinec wrote: >>> So, is this a new state of affairs that /usr/src file system >>> needs to be mounted exec in order for buildworld to succeed, >>> or is this an unintended change and I should file a bug report? >>> >>> Mark >>> >>> >>> On 2015-11-26 19:44, Miroslav Lachman wrote: >>>> Mark Martinec wrote on 11/26/2015 19:31: >>>>> Up to about a week ago building world on FreeBSD 10.2-STABLE went >>>>> just fine. Today after svn update the build fails: >>>>> >>>>> >>>>> # make buildworld >>>>> [...] >>>>> >>>>> CC='cc ' mkdep -f .depend.getprotoent_test -a >>>>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd >>>>> -I/usr/src/contrib/netbsd-tests -std=gnu99 >>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c >>>>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a >>>>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> >>>>> .depend.getprotoent_test >>>>> (cd /usr/src/lib/libc/tests/net && make -f >>>>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= SUBDIR= >>>>> PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test >>>>> .MAKE.DEPENDFILE=.depend.ether_aton_test depend) >>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c >>>>> make[7]: >>>>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) >>>>> failed (Permission denied) >>>>> *** Error code 1 >>>>> >>>>> Stop. >>>>> make[7]: stopped in /usr/src/lib/libc/tests/net >>>>> *** Error code 1 >>>>> >>>>> >>>>> It turns out that our file system /usr/src had an "exec" flag >>>>> turned off, so now running a command: >>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>> fails with "Permission denied". >>>>> >>>>> It would be valuable if building a system on an exec-protected >>>>> src file system would continue to be possible. >>>>> >>>>> Not sure if the >>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>> is the only such new command breaking the build. Anyway, a simple >>>>> workaround is to run shell from a command line instead of as a >>>>> shebang, i.e.: >>>>> >>>>> # /bin/sh >>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>> >>>>> instead of: >>>>> >>>>> # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>> >>>> I was puzzled by similar thing years ago. I was using /var/db and >>>> /tmp >>>> mounted with noexec. And then there was some changes. Ports need >>>> /var/db with exec because of some script in /var/db/pkg and /tmp >>>> must >>>> have exec too for buildworld or installworld (I don't remember it >>>> well, now I always do mount -u -o current,exec /tmp before build + >>>> install world and kernel) >>>> >>>> Anyway - it would be better to not have these partitions mounted >>>> with >>>> exec. >>>>