FS#43057 - [linux-grsec] gcc-plugins are incompatible with 'multilib-devel'
Attached to Project:
Community Packages
Opened by Alexander Schnaidt (Namarrgon) - Tuesday, 09 December 2014, 17:56 GMT
Last edited by Daniel Micay (thestinger) - Saturday, 05 March 2016, 13:00 GMT
Opened by Alexander Schnaidt (Namarrgon) - Tuesday, 09 December 2014, 17:56 GMT
Last edited by Daniel Micay (thestinger) - Saturday, 05 March 2016, 13:00 GMT
|
Details
Description:
The linux-grsec package is built with the 'base-devel' group which makes it impossible to build modules against it when the 'multilib-devel' toolchain is installed since the shipped grsec-gcc plugins are then not compatible with multilib-devel's gcc anymore. Steps to reproduce: # pacman -S multilib-devel linux-grsec{,-headers} virtualbox-host-dkms # dkms install -m vboxhost -v 4.3.20 -k $(cat /usr/lib/modules/extramodules-3.17.*-grsec/version) The output is attached. I'm not entirely sure whether this qualifies as a bug or should just be mentioned in the grsec documentation. As it is right now it certainly makes the use of 'multilib-devel' a whole lot more cumbersome when dkms or any other external modules are involved since one now has to switch between toolchains when building multilib-packages and kernel-modules. Rebuilding the linux-grsec package with the 'multilib-devel' toolchain remedies the problem but of course breaks the compatibility with the 'base-devel' toolchain; and this is not an option for the repositories anyway. |
This task depends upon
Closed by Daniel Micay (thestinger)
Saturday, 05 March 2016, 13:00 GMT
Reason for closing: Won't fix
Additional comments about closing: This is now documented and I don't have plans to work around it. I would accept a patch working around this issue if it was easy to review/maintain but it doesn't appear that anyone is interested in this issue.
Saturday, 05 March 2016, 13:00 GMT
Reason for closing: Won't fix
Additional comments about closing: This is now documented and I don't have plans to work around it. I would accept a patch working around this issue if it was easy to review/maintain but it doesn't appear that anyone is interested in this issue.
https://wiki.archlinux.org/index.php/Grsecurity#Out-of-tree_module_compilation_failure
I'm open to suggestions on a better way to deal with this, but I'm going to close to bug for now because I don't think there's any way to improve it.
2. where do you install gcc plugins? gcc can load plugins without a full path specification if they're installed in the proper plugins dir which would allow compiling/installing multiple plugin instances at once. i'm open to changes in the kernel-side plugin build system if you can figure out the rest ;).
PS: CC me next time on PaX related issues please.
gcc:
Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.2/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with: /build/gcc/src/gcc-4.9.2/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-cloog-backend=isl --disable-isl-version-check --disable-cloog-version-check --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --disable-multilib --disable-werror --enable-checking=release
Thread model: posix
gcc version 4.9.2 (GCC)
gcc-multilib:
Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.2/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with: /build/gcc-multilib/src/gcc-4.9.2/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-cloog-backend=isl --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-multilib --disable-werror --enable-checking=release
Thread model: posix
gcc version 4.9.2 (GCC)
> PS: CC me next time on PaX related issues please.

I'll make sure to do that.
I dont have multilib repo enable in my pacman.conf. still after updating gcc and glibc I greeted with same error.
[savio@savio-arch ~]$ pacin multilib-devel
error: target not found: multilib-devel
[savio@savio-arch ~]$ pacin multilib-devel
error: target not found: multilib-devel
[savio@savio-arch ~]$ pacin gcc-multilib
[sudo] password for savio:
error: target not found: gcc-multilib
Below is make.log error for dkms install
[savio@savio-arch ~]$ cat /var/lib/dkms/vboxhost/4.3.20/build/make.log
DKMS make.log for vboxhost-4.3.20 for kernel 3.18.6.201502062100-1-grsec (x86_64)
Mon Feb 9 21:24:41 IST 2015
make: Entering directory '/usr/lib/modules/3.18.6.201502062100-1-grsec/build'
LD /var/lib/dkms/vboxhost/4.3.20/build/built-in.o
LD /var/lib/dkms/vboxhost/4.3.20/build/vboxdrv/built-in.o
CC [M] /var/lib/dkms/vboxhost/4.3.20/build/vboxdrv/linux/SUPDrv-linux.o
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/size_overflow_plugin/size_overflow_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/stackleak_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/colorize_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/structleak_plugin.so
scripts/Makefile.build:257: recipe for target '/var/lib/dkms/vboxhost/4.3.20/build/vboxdrv/linux/SUPDrv-linux.o' failed
make[2]: *** [/var/lib/dkms/vboxhost/4.3.20/build/vboxdrv/linux/SUPDrv-linux.o] Error 1
scripts/Makefile.build:402: recipe for target '/var/lib/dkms/vboxhost/4.3.20/build/vboxdrv' failed
make[1]: *** [/var/lib/dkms/vboxhost/4.3.20/build/vboxdrv] Error 2
Makefile:1459: recipe for target '_module_/var/lib/dkms/vboxhost/4.3.20/build' failed
make: *** [_module_/var/lib/dkms/vboxhost/4.3.20/build] Error 2
make: Leaving directory '/usr/lib/modules/3.18.6.201502062100-1-grsec/build'
My grsecurity kernel is compiled from abs with few option disable to get VirtualBox working ( I'll be moving towards qemu/kvm :)). Do I need to compile my linux-grsec everytime there is gcc update.
If you need to build out-of-tree modules for it, yes.
I'm not sure if I'm following the reasoning behind not updating it.
Spending time compiling it is time I can't spend compiling *other* things, so it blocks me from doing stuff like actual work.
This issue is about gcc and gcc-multilib being treated as separate compilers though. They might have a compatible ABI so the PaX script could ignore that configuration difference. I'm not sure, haven't had much time to look at this.
Isn't this what pkgbuild.com is for? Unless you're referring to the time it takes to test it, and not the compiling time.
I can add a warning in post_install/post_upgrade if the installed gcc package doesn't match the kernel, and maybe put a optdepends for gcc=x.x.x-x? Think that's a good or bad idea?
It's not possible to make an accurate optdepends entry and it won't take into account the fact that gcc-multilib provides gcc.
A post-install/upgrade message won't work because the problem is that gcc is upgraded after linux-grsec.
I feel there needs to be some notification to the user that installing two packages from [community] will break each other.
https://projects.archlinux.org/svntogit/community.git/log/trunk?h=packages/linux-grsec
A condition of grsecurity being the official repositories was that it wasn't going to put a burden on other people, meaning it's not going to be coordinated with upgrades of the virtualbox module package or gcc. There will always be a window where it won't be possible to build modules without downgrading gcc or rebuilding it with the new gcc.
This issue was just about gcc vs. gcc-multilib with the same version. Totally different gcc versions is a separate issue without a full solution as they really do change the ABI frequently.
_gcc_build=$(pacman -Q gcc || pacman -Q gcc-multilib | sed 's/ /=/')
depends=("${_gcc_build}")
~ > yaourt -Ssq dkms | wc -l
70
I personally disagree that the "problem solves itself within a few days" is an acceptable solution for a rolling release distribution. This package isn't ready for [community], it should be moved back to [community-testing] until it stops breaking other [community] packages.
IMO, there's really nothing I can do about the fact that new GCC versions are a problem. It can take a relatively long time for the GCC plugins to adapt to the API changes so a lot of it is out of our hands completely. The distribution isn't going to hold back moving to new GCC versions for the sake of the linux-grsec package and I don't see another 'solution'.
I think it's reasonable to expect the audience targeted by Arch to cope with this if they want to build out-of-tree modules. The Red Hat solution would be turning on kernel module signing...