Mail archive
alpine-devel

Re: [alpine-devel] Porting Alpine scripts

From: Tuan M. Hoang <tmhoang_at_flatglobe.org>
Date: Mon, 21 Nov 2016 07:39:27 +0700

On Sat, 19 Nov 2016 09:21:09 +0200
Timo Teras <timo.teras_at_iki.fi> wrote:

> On Sat, 19 Nov 2016 04:15:48 +0700
> "Tuan M. Hoang" <tmhoang_at_flatglobe.org> wrote:
>
> > On Thu, 17 Nov 2016 08:24:40 +0200
> > Timo Teras <timo.teras_at_iki.fi> wrote:
> >
> > > > > > b) Then I run crossbuild script, and I need remove paxmark
> > > > > > lines in gcc's APKBUILD as it returns an unknown error
> > > > > > (while creat-cross script runs just fine). AFAIK, it is
> > > > > > about security concerns, not system's functionality, so for
> > > > > > now I guess it is okay.
> > > > >
> > > > > Your kernel is probably built without XATTR support. paxmark
> > > > > requires XATTR enabled kernel.
> > > >
> > > > I guess my x86_64 machine running grsec kernel (linux-grsec
> > > > package) is XATTR-enabled. I looked a little bit closer on the
> > > > build log and see this : http://sprunge.us/EIVE. When I try to
> > > > run those $ paxctl manually (code from /usr/sbin/paxmark), they
> > > > just pass alright with no output on stdout nor stderr. I also
> > > > tried adding --enable-xattr-support to configure script in gcc
> > > > APKBUILD, but it won't help. What do you think ?
> > >
> > > The kernel should be xattr enabled. What filesystem are you using?
> > > Perhaps there's some filesystem level knob (kernel config) or
> > > limitation.
> >
> > $ df -T | grep sda
> > /dev/sda3 ext4 20473424 6217272 13196368 32% /
> > /dev/sda1 ext4 95054 16460 71426
> > 19% /boot $ cat /proc/fs/ext4/sda1/options | grep xattr
> > user_xattr
> > $ cat /proc/fs/ext4/sda3/options | grep xattr
> > user_xattr
>
> IIRC, if it's grsec kernel, you don't even need the user_xattr mount
> option as grsec kernel treats those xattrs specially.
>
> Of course grsec does not support s390x so the markings are not really
> needed for vanilla kernel. However would be good to figure out so we
> get the build right from beginning.
>
> You could try strace the attr command and see where it fails.
>

I see that you didn't provide linux-grsec/config-grsec.aarch64. grsec
does not support aarch64 neither? I have read some grsec patch and it
looks like they do provide some s390/s390x patch like this one :
http://dev.alpinelinux.org/~ncopa/grsec/grsecurity-3.1-4.4.32-201604252206-alpine.patch
I am not sure is this called "supported".

Actually according to the log above, $ paxctl are those failed (ret=1).
I will try to strace them this week.

> > > > Another problem I am having is when cross-compiling
> > > > linux-vanilla package using aports/scripts/bootstrap.sh :
> > > > http://sprunge.us/AAcA. I am reading abuild source code to find
> > > > the cause but still nothing new. It'd be nice if you help me to
> > > > have a look.
> > >
> > > Bootstrap script was not yet updated for libressl change. I'll
> > > take a look at this. I think the only change needed is to build
> > > libressl instead of openssl. I'll push fix for this soon.
> >
> > Actually this occurred to me before libress was adopted. After
> > libressl was introduced, I also changed Bootstrap script, libressl
> > APKBUILD, kernel config to adop libressl too, but still the bug. So
> > I guess it's more likely coming from abuild. Here are some of my
> > patches, in case you might want to have a look.
> > https://github.com/tmh1999/alpine-bootstrap-s390x/tree/master/patches/aports/scripts
> > https://github.com/tmh1999/alpine-bootstrap-s390x/tree/master/patches/aports/main
>
> I would be happy to pick up some of these patches already now. Would
> you be able to give them exported with "git format-patch" so you get
> annotated as author and the commit log is preserved.
>
> I could try bootstrap s390 too then and see if the same problem
> happens and analyze it a bit more.
>
> In any case I recently fixed the bootstrap script and few aports. I
> was able to bootstrap again git master for armv7.
>
> Cheers,
> Timo

Please find my patches in the attachments. There were some small
changes that I did not include in those patches because I think it only
(temporarily) affects my build. So I list here fyi:
- scripts/bootstrap.sh : linux-headers & zlib-dev need to be explicitly
  installed (besides fortify-headers, libc-dev, build-base) even though
  linux-headers is zlib's makedends, zlib-dev is binutils's makedepends.

If there was any problem, please kindly let me know.

Cheers,
Tuan

Received on Mon Nov 21 2016 - 07:39:27 GMT