Bug#883170: java is paxctl-ed too late

[Emmanuel Seyman]

* Santiago R.R. [30/11/2017 17:22] :
>
> ca-certificates-java's postinst would call paxrat or paxctl, if
> available.
> 
> Opinions?

While I'm not sure how realistic it is to expect all packages that
execute java in their postinst scripts to become paxctl-aware,
that would certainly work.

Emmanuel

Bug#883170: java is paxctl-ed too late

[Santiago R.R.]

El 30/11/17 a las 11:56, Emmanuel Seyman escribió:
> Package: paxrat
> Version: 1.0-3+b1
> 
> When I install openjdk-8-jre-headless, it installs ca-certificates-java as
> a dependency. ca-certificates-java's postinst is called and killed by grsec
> because it calls "java -Xmx64m -jar [...]".
> 
> Once that happens, paxrat is then executed and paxctl is run on
> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java. A "apt-get install -f" will
> then run ca-certificates-java's postinst again which will complete.

Quick answer: I wonder if the solution would be rather in
ca-certificates-java. If a user running a grsec kernel and no paxrat
installed would get the same problem.
ca-certificates-java's postinst would call paxrat or paxctl, if
available.

Opinions?

 -- Santiago

Bug#883170: java is paxctl-ed too late

[Emmanuel Seyman]

Package: paxrat
Version: 1.0-3+b1

When I install openjdk-8-jre-headless, it installs ca-certificates-java as
a dependency. ca-certificates-java's postinst is called and killed by grsec
because it calls "java -Xmx64m -jar [...]".

Once that happens, paxrat is then executed and paxctl is run on
/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java. A "apt-get install -f" will
then run ca-certificates-java's postinst again which will complete.