Building Cinelerra and stack exec and mprotect issues
Posted: Mon Apr 25, 2016 8:11 pm
title: Building Cinelerra and stack exec and mprotect issues
---
(We'll get to grsec, in a while .)
I need the Cinelerra program, which has been very outdated in Gentoo
(
https://packages.gentoo.org/packages/me ... /cinelerra
where 20140710 is the most recent version and there is no maintainer...
)
and the development of a relatively recent fork at:
https://cinelerra-cv.org/
has been very lively since, so while I could use the old version, I wish so much to use the new, built out of git repo.
I have worked for two days very dedicatedly, and have tried to keep good notes of what I tried when building and installing Cinelerra, which installs, but fails to start.
And here we arrived at grsecurity.
It fails because of execstack and mprotect issues, maybe because of not having been talked into playing by the good rules the grsecurity imposes...
The entire quest of mine with the Cinelerra-CV building is available here:
Install Cinelerra in Gentoo (out-of-portage)
http://www.croatiafidelis.hr/foss/gento ... out-of.php
maybe just a tiny excerpt I should post here to give the idea:
and that really was the case still after a few recompiles...
I have also asked for help at:
Building in Gentoo; Was: Re: Cinelerra 5.1: Two bugs
http://lists.cinelerra-cv.org/pipermail ... 04677.html
The day here in Europe has long been over. I'm exhausted. But I thought before I go to sleep I'd ask for help here on grsecurity forums, since these are really advanced issues that devs, and many users, may be very much at home with, and give me advice.
For which I'll be thankful!
Miroslav Rovis
http://www.CroatiaFidelis.hr
---
(We'll get to grsec, in a while .)
I need the Cinelerra program, which has been very outdated in Gentoo
(
https://packages.gentoo.org/packages/me ... /cinelerra
where 20140710 is the most recent version and there is no maintainer...
)
and the development of a relatively recent fork at:
https://cinelerra-cv.org/
has been very lively since, so while I could use the old version, I wish so much to use the new, built out of git repo.
I have worked for two days very dedicatedly, and have tried to keep good notes of what I tried when building and installing Cinelerra, which installs, but fails to start.
And here we arrived at grsecurity.
It fails because of execstack and mprotect issues, maybe because of not having been talked into playing by the good rules the grsecurity imposes...
The entire quest of mine with the Cinelerra-CV building is available here:
Install Cinelerra in Gentoo (out-of-portage)
http://www.croatiafidelis.hr/foss/gento ... out-of.php
maybe just a tiny excerpt I should post here to give the idea:
- Code: Select all
Apr 25 10:50:18 gcn kernel: [14513.404820] grsec: exec of /usr/bin/cinelerra
(cinelerra ) by /usr/bin/cinelerra[bash:26986] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000
gid/egid:1000/1000
Apr 25 10:50:19 gcn kernel: [14513.767991] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/usr/lib64/cinelerra/blondtheme.so by /usr/bin/cinelerra[cinelerra:26986]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336]
uid/euid:1000/1000 gid/egid:1000/1000
Apr 25 10:50:19 gcn kernel: [14513.768030] grsec: denied RWX mprotect of
/lib64/ld-2.22.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000
gid/egid:1000/1000
and that really was the case still after a few recompiles...
I have also asked for help at:
Building in Gentoo; Was: Re: Cinelerra 5.1: Two bugs
http://lists.cinelerra-cv.org/pipermail ... 04677.html
The day here in Europe has long been over. I'm exhausted. But I thought before I go to sleep I'd ask for help here on grsecurity forums, since these are really advanced issues that devs, and many users, may be very much at home with, and give me advice.
For which I'll be thankful!
Miroslav Rovis
http://www.CroatiaFidelis.hr