On Sat, 2006-05-27 at 04:31 +0100, Declan Moriarty wrote:
> On Fri, 2006-05-26 at 18:40 -0400, Robert Connolly wrote:
> > On May 26, 2006 01:35 pm, George Boudreau wrote:
> > > If Robert says he has built a
> > > hlfs(svn)-> hlfs(svn) then that is the end of the story and I will look
> > > at my setup.
> >
> > I have, but it was quite a while ago. Most of my builds are with uclibc. I
> > think I did rebuild hlfs glibc, from hlfs, but I may have rebooted with
> > some
> > or all of the grsecurity options disabled. I noticed there is a
> > glibc-localedef-segfault patch in the patch repository, but I haven't tried
> > it. localedef was crashing when I rebuilt glibc on hlfs, which is maybe why
> > I
> > disabled grsecurity. So many things have changed since then, its hard to
> > say
> > why you are having difficulties.
/Finally thinking here
Think about this. No patch will work, unless it's been in the works so
long that it part of the accepted build. The reason is, glibc crashes
out in building chapter 5, which uses the _host_ system's localedef. If
the host system is (security enabled) HLFS-0.1, this stage will fail.
HLFS-0.1 did not have a (working) patch for localedef to overcome this
problem, so your stated target of building hlfs-0.1(20051220) -->
hlfs-0.2 will not work this way.
That hlfs book had a few mentions of the problem. It appears in the
changelog for May 7th 2005, well before my interest in HLFS. Also on
January 27th 2005, where paxctl was added to cope with this issue. The
detail is, (AFAIK) that this CONFIG_PAX_EMUTRAMP in the kernel (which I
have) provides system wide protection. The workaround for system
builders would be not to have this set system wide, but to use paxctl to
enforce it on a per binary basis. This does not protect against a
foreign binary with no PAX header, which is definitely _NOT_ what hlfs
is about. HLFS is about shutting doors, not opening them. But check any
advice I give you on Security!
Would not the handy way around this be to put up a tarball for download
of the Minimum set of locales for the current glibc to pass the tests
(in ch 5). Then patch the localedef in /tools, and don't install the one
in glibc unless you can tidy up it's behaviour to make locales in a
restricted environment.
Either that, or change your glibc instruction set significantly. Anyhow
uclibc seems the easier ride. BTW, please tidy up the kernel
instructions on that CONFIG_PAX_EMUTRAMP
--
With Best Regards,
Declan Moriarty.
--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
