Date: Fri, 15 Jan 2016 04:01:02 +0100 From: Oliver Pinter <oliver.pinter@hardenedbsd.org> To: Mark Martinec <Mark.Martinec+freebsd@ijs.si> Cc: freebsd-stable@freebsd.org, ngie@freebsd.org Subject: Re: A recent 10.2-STABLE no longer builds on a no-exec /usr/src file system Message-ID: <CAPQ4ffvUV=wHLHX9Odh1x5NJKg-Ztum1TEbeMY98LGXQ66PZmw@mail.gmail.com> In-Reply-To: <8c27af875f9af7b0ae85c433c821e2fd@mailbox.ijs.si> References: <636a770981c5655f3cc45f2c6aee6474@mailbox.ijs.si> <56575324.9070400@quip.cz> <484e5e28706f1d717bcd02542e7ba306@mailbox.ijs.si> <db623061cdf97d82bb8df4bee9fbd4ab@mailbox.ijs.si> <56981DA4.30402@FreeBSD.org> <8c27af875f9af7b0ae85c433c821e2fd@mailbox.ijs.si>
next in thread | previous in thread | raw e-mail | index | archive | help
CC: ngie On 1/15/16, Mark Martinec <Mark.Martinec+freebsd@ijs.si> wrote: > On 2016-01-14 23:13, Bryan Drewery wrote: >> Where / What is the error? >> >> The only example here was fixed in November. > > Here is how a fresh svn checkout on a 10-stable > fails in make buildworld when /usr/src is noexec : > > > CC='cc ' mkdep -f .depend.getprotoent_test -a > -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd > -I/usr/src/contrib/netbsd-tests -std=gnu99 > /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c > echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a > /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> > .depend.getprotoent_test > (cd /usr/src/lib/libc/tests/net && NO_SUBDIR=1 make -f > /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= > PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test > .MAKE.DEPENDFILE=.depend.ether_aton_test depend) > /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr > /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c > make[7]: exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) > failed (Permission denied) > *** Error code 1 > > Stop. > make[7]: stopped in /usr/src/lib/libc/tests/net > *** Error code 1 > > Stop. > make[6]: stopped in /usr/src/lib/libc/tests/net > *** Error code 1 > > Stop. > make[5]: stopped in /usr/src/lib/libc/tests > *** Error code 1 > > Stop. > make[4]: stopped in /usr/src/lib/libc > *** Error code 1 > > Stop. > make[3]: stopped in /usr/src/lib > *** Error code 1 > [...] > > > The net/gen_ether_subr looks like the same culprit as reported > in 2015-11-26. > > Actually ... it seems that taking out the WITH_TESTS="yes" from > /etc/make.conf avoids the problem - although this was not necessary > in 10.2-RELEASE, as far as I can tell. > > > Mark > > > >> On 1/14/2016 7:42 AM, Mark Martinec wrote: >>> Prompted by recent security advisories I did a 'make buildworld' >>> on a fresh svn checkout, only to find out that it seems the 'exec' >>> mount flag on /usr/src is still required for a successful build. >>> >>> This wasn't so for 10.2, and I hope it won't become a requirement >>> in 10.3 - or at least it should be clearly documented in release >>> notes. >>> >>> Mark >>> >>> >>> On 2015-12-07 16:35, Mark Martinec wrote: >>>> So, is this a new state of affairs that /usr/src file system >>>> needs to be mounted exec in order for buildworld to succeed, >>>> or is this an unintended change and I should file a bug report? >>>> >>>> Mark >>>> >>>> >>>> On 2015-11-26 19:44, Miroslav Lachman wrote: >>>>> Mark Martinec wrote on 11/26/2015 19:31: >>>>>> Up to about a week ago building world on FreeBSD 10.2-STABLE went >>>>>> just fine. Today after svn update the build fails: >>>>>> >>>>>> >>>>>> # make buildworld >>>>>> [...] >>>>>> >>>>>> CC='cc ' mkdep -f .depend.getprotoent_test -a >>>>>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd >>>>>> -I/usr/src/contrib/netbsd-tests -std=gnu99 >>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c >>>>>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a >>>>>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> >>>>>> .depend.getprotoent_test >>>>>> (cd /usr/src/lib/libc/tests/net && make -f >>>>>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS= SUBDIR= >>>>>> PROG=ether_aton_test DEPENDFILE=.depend.ether_aton_test >>>>>> .MAKE.DEPENDFILE=.depend.ether_aton_test depend) >>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c >>>>>> make[7]: >>>>>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) >>>>>> failed (Permission denied) >>>>>> *** Error code 1 >>>>>> >>>>>> Stop. >>>>>> make[7]: stopped in /usr/src/lib/libc/tests/net >>>>>> *** Error code 1 >>>>>> >>>>>> >>>>>> It turns out that our file system /usr/src had an "exec" flag >>>>>> turned off, so now running a command: >>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>>> fails with "Permission denied". >>>>>> >>>>>> It would be valuable if building a system on an exec-protected >>>>>> src file system would continue to be possible. >>>>>> >>>>>> Not sure if the >>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>>> is the only such new command breaking the build. Anyway, a simple >>>>>> workaround is to run shell from a command line instead of as a >>>>>> shebang, i.e.: >>>>>> >>>>>> # /bin/sh >>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>>> >>>>>> instead of: >>>>>> >>>>>> # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr >>>>> >>>>> I was puzzled by similar thing years ago. I was using /var/db and >>>>> /tmp >>>>> mounted with noexec. And then there was some changes. Ports need >>>>> /var/db with exec because of some script in /var/db/pkg and /tmp >>>>> must >>>>> have exec too for buildworld or installworld (I don't remember it >>>>> well, now I always do mount -u -o current,exec /tmp before build + >>>>> install world and kernel) >>>>> >>>>> Anyway - it would be better to not have these partitions mounted >>>>> with >>>>> exec. >>>>> > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPQ4ffvUV=wHLHX9Odh1x5NJKg-Ztum1TEbeMY98LGXQ66PZmw>