From owner-freebsd-stable@freebsd.org  Fri Jan 15 03:01:04 2016
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86FBFA8371D
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Fri, 15 Jan 2016 03:01:04 +0000 (UTC)
 (envelope-from oliver.pinter@hardenedbsd.org)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com
 [IPv6:2a00:1450:400c:c09::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1F4F31357
 for <freebsd-stable@freebsd.org>; Fri, 15 Jan 2016 03:01:04 +0000 (UTC)
 (envelope-from oliver.pinter@hardenedbsd.org)
Received: by mail-wm0-x22f.google.com with SMTP id f206so4076451wmf.0
 for <freebsd-stable@freebsd.org>; Thu, 14 Jan 2016 19:01:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=xTD3bSaD9Lc+QThWTLUHQCoFA2uWLDJ24n0Vp7BFCl0=;
 b=ep2dcPvliq4uVp+kqeCn4I37QV07XWf7l2p2AfkNcnkARd291eO1jIwdsCB7CCJ/Bo
 OaSEjmtR7nrNDt82ib+UI9oxbAzsJ7WxK2dVMziG38RWuvYdqEufv6qBolXJPDyZi6P/
 orxJoz89D3NELwxuLjvDGeA1DJ3iNIIQYPicAgXJu7MgLaqzoFYjC7Y38gAaqx2epxp6
 pyJylhb1q1A0xMMKMozS3dVuLudMkyBUJVjQJOuM5GzR7hjMm9GhAk5o7wUE89bhTvsG
 38K5Sq+ZKtbZ1AxXftItXgcj58yANzf1/86s0s1e0SexuB9mI8wDCYYk3PoJ8vNhoL5x
 jIfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=xTD3bSaD9Lc+QThWTLUHQCoFA2uWLDJ24n0Vp7BFCl0=;
 b=EtTsl8P3gZE89Cv3BJ5JcdwqcbwQekjfDu+crJaiLPBot0tUjo/CklR9AhuFQ+yfxh
 XBa9t8lT+YUmROlC9PBQeCOOmkSB/GjeoC2PNtzjJZtGthVF74CLVYMVbwrxpLV/o/dX
 LCpKPKFP9u+PLM+819SRBgyJfSoymg4+ScIrfrzZUkOnFPNLZ0V6k3C8Qaks3vYfHumJ
 DutgtmQIPgVS9myysDpQARq/JLF5HhTAsBO5cOy+ZKRP5GyMkf32DjaEzjp9zB4hak5h
 W+XbHGqe8cOEXvfjJUTNi4XfRt/J98dsSP2BMsZ0dS7MlT9tYBLyaWnxVaRZslLn/m8i
 R+zA==
X-Gm-Message-State: ALoCoQnHLDwIsP4qZxZEq9v3i4WANY3lUm3EK8Kvj2UugJz9RTPH03Sr/t+r+9TXmQzRFDv9pI1wRlYasW+W5LulaYH1hWBMJxiLph8DkUouNGYvRzsLl2g=
MIME-Version: 1.0
X-Received: by 10.194.171.66 with SMTP id as2mr7270161wjc.73.1452826862305;
 Thu, 14 Jan 2016 19:01:02 -0800 (PST)
Received: by 10.194.85.167 with HTTP; Thu, 14 Jan 2016 19:01:02 -0800 (PST)
In-Reply-To: <8c27af875f9af7b0ae85c433c821e2fd@mailbox.ijs.si>
References: <636a770981c5655f3cc45f2c6aee6474@mailbox.ijs.si>
 <56575324.9070400@quip.cz>
 <484e5e28706f1d717bcd02542e7ba306@mailbox.ijs.si>
 <db623061cdf97d82bb8df4bee9fbd4ab@mailbox.ijs.si>
 <56981DA4.30402@FreeBSD.org>
 <8c27af875f9af7b0ae85c433c821e2fd@mailbox.ijs.si>
Date: Fri, 15 Jan 2016 04:01:02 +0100
Message-ID: <CAPQ4ffvUV=wHLHX9Odh1x5NJKg-Ztum1TEbeMY98LGXQ66PZmw@mail.gmail.com>
Subject: Re: A recent 10.2-STABLE no longer builds on a no-exec /usr/src file
 system
From: Oliver Pinter <oliver.pinter@hardenedbsd.org>
To: Mark Martinec <Mark.Martinec+freebsd@ijs.si>
Cc: freebsd-stable@freebsd.org, ngie@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 03:01:04 -0000

CC: ngie

On 1/15/16, Mark Martinec <Mark.Martinec+freebsd@ijs.si> wrote:
> On 2016-01-14 23:13, Bryan Drewery wrote:
>> Where / What is the error?
>>
>> The only example here was fixed in November.
>
> Here is how a fresh svn checkout on a 10-stable
> fails in make buildworld when /usr/src is noexec :
>
>
> CC='cc ' mkdep -f .depend.getprotoent_test -a
> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd
> -I/usr/src/contrib/netbsd-tests -std=gnu99
> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c
> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a
> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >>
> .depend.getprotoent_test
> (cd /usr/src/lib/libc/tests/net &&  NO_SUBDIR=1 make -f
> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS=
> PROG=ether_aton_test  DEPENDFILE=.depend.ether_aton_test
> .MAKE.DEPENDFILE=.depend.ether_aton_test   depend)
> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c
> make[7]: exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr)
> failed (Permission denied)
> *** Error code 1
>
> Stop.
> make[7]: stopped in /usr/src/lib/libc/tests/net
> *** Error code 1
>
> Stop.
> make[6]: stopped in /usr/src/lib/libc/tests/net
> *** Error code 1
>
> Stop.
> make[5]: stopped in /usr/src/lib/libc/tests
> *** Error code 1
>
> Stop.
> make[4]: stopped in /usr/src/lib/libc
> *** Error code 1
>
> Stop.
> make[3]: stopped in /usr/src/lib
> *** Error code 1
> [...]
>
>
> The net/gen_ether_subr looks like the same culprit as reported
> in 2015-11-26.
>
> Actually ... it seems that taking out the WITH_TESTS="yes" from
> /etc/make.conf avoids the problem - although this was not necessary
> in 10.2-RELEASE, as far as I can tell.
>
>
>    Mark
>
>
>
>> On 1/14/2016 7:42 AM, Mark Martinec wrote:
>>> Prompted by recent security advisories I did a 'make buildworld'
>>> on a fresh svn checkout, only to find out that it seems the 'exec'
>>> mount flag on /usr/src is still required for a successful build.
>>>
>>> This wasn't so for 10.2, and I hope it won't become a requirement
>>> in 10.3 - or at least it should be clearly documented in release
>>> notes.
>>>
>>>   Mark
>>>
>>>
>>> On 2015-12-07 16:35, Mark Martinec wrote:
>>>> So, is this a new state of affairs that /usr/src file system
>>>> needs to be mounted exec in order for buildworld to succeed,
>>>> or is this an unintended change and I should file a bug report?
>>>>
>>>>   Mark
>>>>
>>>>
>>>> On 2015-11-26 19:44, Miroslav Lachman wrote:
>>>>> Mark Martinec wrote on 11/26/2015 19:31:
>>>>>> Up to about a week ago building world on FreeBSD 10.2-STABLE went
>>>>>> just fine. Today after svn update the build fails:
>>>>>>
>>>>>>
>>>>>> # make buildworld
>>>>>> [...]
>>>>>>
>>>>>> CC='cc ' mkdep -f .depend.getprotoent_test -a
>>>>>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd
>>>>>> -I/usr/src/contrib/netbsd-tests -std=gnu99
>>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c
>>>>>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a
>>>>>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >>
>>>>>> .depend.getprotoent_test
>>>>>> (cd /usr/src/lib/libc/tests/net && make -f
>>>>>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS=  SUBDIR=
>>>>>> PROG=ether_aton_test  DEPENDFILE=.depend.ether_aton_test
>>>>>> .MAKE.DEPENDFILE=.depend.ether_aton_test   depend)
>>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c
>>>>>> make[7]:
>>>>>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr)
>>>>>> failed (Permission denied)
>>>>>> *** Error code 1
>>>>>>
>>>>>> Stop.
>>>>>> make[7]: stopped in /usr/src/lib/libc/tests/net
>>>>>> *** Error code 1
>>>>>>
>>>>>>
>>>>>> It turns out that our file system /usr/src had an "exec" flag
>>>>>> turned off, so now running a command:
>>>>>>    /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>>> fails with "Permission denied".
>>>>>>
>>>>>> It would be valuable if building a system on an exec-protected
>>>>>> src file system would continue to be possible.
>>>>>>
>>>>>> Not sure if the
>>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>>> is the only such new command breaking the build. Anyway, a simple
>>>>>> workaround is to run shell from a command line instead of as a
>>>>>> shebang, i.e.:
>>>>>>
>>>>>>    # /bin/sh
>>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>>>
>>>>>> instead of:
>>>>>>
>>>>>>    # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>>
>>>>> I was puzzled by similar thing years ago. I was using /var/db and
>>>>> /tmp
>>>>> mounted with noexec. And then there was some changes. Ports need
>>>>> /var/db with exec because of some script in /var/db/pkg and /tmp
>>>>> must
>>>>> have exec too for buildworld or installworld (I don't remember it
>>>>> well, now I always do mount -u -o current,exec /tmp before build +
>>>>> install world and kernel)
>>>>>
>>>>> Anyway - it would be better to not have these partitions mounted
>>>>> with
>>>>> exec.
>>>>>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>