Bug#883170: java is paxctl-ed too late
* Santiago R.R. [30/11/2017 17:22] : > > ca-certificates-java's postinst would call paxrat or paxctl, if > available. > > Opinions? While I'm not sure how realistic it is to expect all packages that execute java in their postinst scripts to become paxctl-aware, that would certainly work. Emmanuel
Bug#883170: java is paxctl-ed too late
El 30/11/17 a las 11:56, Emmanuel Seyman escribió: > Package: paxrat > Version: 1.0-3+b1 > > When I install openjdk-8-jre-headless, it installs ca-certificates-java as > a dependency. ca-certificates-java's postinst is called and killed by grsec > because it calls "java -Xmx64m -jar [...]". > > Once that happens, paxrat is then executed and paxctl is run on > /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java. A "apt-get install -f" will > then run ca-certificates-java's postinst again which will complete. Quick answer: I wonder if the solution would be rather in ca-certificates-java. If a user running a grsec kernel and no paxrat installed would get the same problem. ca-certificates-java's postinst would call paxrat or paxctl, if available. Opinions? -- Santiago
Bug#883170: java is paxctl-ed too late
Package: paxrat Version: 1.0-3+b1 When I install openjdk-8-jre-headless, it installs ca-certificates-java as a dependency. ca-certificates-java's postinst is called and killed by grsec because it calls "java -Xmx64m -jar [...]". Once that happens, paxrat is then executed and paxctl is run on /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java. A "apt-get install -f" will then run ca-certificates-java's postinst again which will complete.