# HG changeset patch # User Andrew John Hughes # Date 1460075891 -3600 # Node ID 9e5bab0925d7c27df1afb1daa79a5d75aa9c12ff # Parent 560c5d58d75624a67280b2340c088278567a0fb8 PR2920: PaX marking fails on filesystems which don't support extended attributes 2016-04-07 Andrew John Hughes PR2920: PaX marking fails on filesystems which don't support extended attributes * Makefile.am: (icedtea): Pass true to pax-mark-vm to fail if PaX marking fails. (icedtea-debug): Likewise. (icedtea-boot): Likewise. (install-exec-local): Pass false to pax-mark-vm so that only a warning is produced if PaX marking fails on the installed version. * NEWS: Updated. * pax-mark-vm.in: Add a second option, FAIL_ON_ERROR, which will cause the script to exit if it can't PaX mark when set to true, but just issue a warning when set to false. diff -r 560c5d58d756 -r 9e5bab0925d7 ChangeLog --- a/ChangeLog Thu Apr 07 04:18:28 2016 +0100 +++ b/ChangeLog Fri Apr 08 01:38:11 2016 +0100 @@ -1,3 +1,22 @@ +2016-04-07 Andrew John Hughes + + PR2920: PaX marking fails on filesystems which + don't support extended attributes + * Makefile.am: + (icedtea): Pass true to pax-mark-vm to fail + if PaX marking fails. + (icedtea-debug): Likewise. + (icedtea-boot): Likewise. + (install-exec-local): Pass false to pax-mark-vm + so that only a warning is produced if PaX marking + fails on the installed version. + * NEWS: Updated. + * pax-mark-vm.in: + Add a second option, FAIL_ON_ERROR, which will + cause the script to exit if it can't PaX mark + when set to true, but just issue a warning when + set to false. + 2016-04-06 Andrew John Hughes PR2918: Makefile handles cacerts as a symlink, diff -r 560c5d58d756 -r 9e5bab0925d7 Makefile.am --- a/Makefile.am Thu Apr 07 04:18:28 2016 +0100 +++ b/Makefile.am Fri Apr 08 01:38:11 2016 +0100 @@ -1805,7 +1805,7 @@ $(ICEDTEA_ENV) \ -C $(BUILD_OUTPUT_DIR) \ $(ICEDTEA_BUILD_TARGET) - $(abs_top_builddir)/pax-mark-vm $(BUILD_SDK_DIR) + $(abs_top_builddir)/pax-mark-vm $(BUILD_SDK_DIR) true mkdir -p $(BUILD_SDK_DIR)/jre/lib/$(INSTALL_ARCH_DIR) mkdir -p $(BUILD_JRE_DIR)/lib/$(INSTALL_ARCH_DIR) mkdir -p $(BUILD_SDK_DIR)/jre/lib/ext @@ -1867,7 +1867,7 @@ $(ICEDTEA_ENV) \ -C $(DEBUG_BUILD_OUTPUT_DIR) \ $(ICEDTEA_BUILD_TARGET) - $(abs_top_builddir)/pax-mark-vm $(BUILD_DEBUG_SDK_DIR) + $(abs_top_builddir)/pax-mark-vm $(BUILD_DEBUG_SDK_DIR) true mkdir -p $(BUILD_DEBUG_SDK_DIR)/jre/lib/$(INSTALL_ARCH_DIR) mkdir -p $(BUILD_DEBUG_JRE_DIR)/lib/$(INSTALL_ARCH_DIR) mkdir -p $(BUILD_DEBUG_SDK_DIR)/jre/lib/ext @@ -2014,7 +2014,7 @@ $(ICEDTEA_ENV_BOOT) \ -C $(BOOT_BUILD_OUTPUT_DIR) \ images - $(abs_top_builddir)/pax-mark-vm $(BUILD_BOOT_SDK_DIR) + $(abs_top_builddir)/pax-mark-vm $(BUILD_BOOT_SDK_DIR) true @echo "Bootstrapped IcedTea is served:" $(BUILD_BOOT_SDK_DIR) mkdir -p stamps touch $@ @@ -2651,7 +2651,7 @@ $(INSTALL_DATA) $${files} $(DESTDIR)${prefix}/tapset; \ done endif - $(abs_top_builddir)/pax-mark-vm $(DESTDIR)${prefix} + $(abs_top_builddir)/pax-mark-vm $(DESTDIR)${prefix} false install-data-local: ${mkinstalldirs} $(DESTDIR)${prefix} diff -r 560c5d58d756 -r 9e5bab0925d7 NEWS --- a/NEWS Thu Apr 07 04:18:28 2016 +0100 +++ b/NEWS Fri Apr 08 01:38:11 2016 +0100 @@ -163,6 +163,7 @@ - PR2907: Replace --with-abs-install-dir with usual --prefix - PR2917: Don't pass --with-cacerts-file to build if USE_ALT_CACERTS_FILE is not set - PR2918: Makefile handles cacerts as a symlink, but the configure check doesn't + - PR2920: PaX marking fails on filesystems which don't support extended attributes - Don't substitute 'j' for '-j' inside -I directives - Extend 8041658 to all files in the HotSpot build. - Remove jcheck diff -r 560c5d58d756 -r 9e5bab0925d7 pax-mark-vm.in --- a/pax-mark-vm.in Thu Apr 07 04:18:28 2016 +0100 +++ b/pax-mark-vm.in Fri Apr 08 01:38:11 2016 +0100 @@ -1,13 +1,25 @@ #!/bin/sh +JDK=${1} +FAIL_ON_ERROR=${2} + # Taken from Gentoo's pax-utils.eclass list_paxables() { file "$@" 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//' } if test "x@PAX_COMMAND@" != "x"; then - for paxable in `list_paxables "${1}"/bin/* "${1}"/jre/bin/*`; do + if @PAX_COMMAND@ -m "${JDK}"/bin/java; then + for paxable in `list_paxables "${JDK}"/bin/* "${JDK}"/jre/bin/*`; do echo "PaX mark @PAX_COMMAND_ARGS@ ${paxable}" @PAX_COMMAND@ @PAX_COMMAND_ARGS@ "${paxable}" done + else + if test "x${FAIL_ON_ERROR}" = "xtrue"; then + echo "ERROR: Could not apply PaX markings to files in ${JDK}"; + exit -1; + else + echo "WARNING: Could not apply PaX markings to files in ${JDK}"; + fi + fi fi