Skype 4 on hardened
Retired Dev
Joined: 03 Jan 2006
Posts: 602

PostPosted: Sun Aug 12, 2012 3:24 pm    Post subject: Skype 4 on hardened Reply with quote

On my relatively freshly installed hardened system I try to get Skype to run with the following profile. Unfortunately, USE=pax_kernel leads to an abort of the merge, without it the merge finishes but PaXmarking the binary fails with

# paxctl -me /opt/bin/skype
file /opt/bin/skype is not a valid ELF executable (invalid PT_ entry:6)

(This is actually the stuff done with USE=pax_kernel). Has anybody succeeded in getting it to run? Somewhere I read some hints about placing PaXmarkings in ACL and not the binary header, which should solve part of the problem.

Portage (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.15-r2, 3.4.5-hardened x86_64)
System uname: Linux-3.4.5-hardened-x86_64-Intel-R-_Core-TM-_i5_CPU_M_450_@_2.40GHz-with-gentoo-2.1
Timestamp of tree: Sun, 12 Aug 2012 13:15:01 +0000
ccache version 3.1.7 [disabled]
app-shells/bash:          4.2_p20
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/ccache:          3.1.7
dev-util/cmake:           2.8.7-r5
dev-util/pkgconfig:       0.27
sys-apps/baselayout:      2.1-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.3-r2
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r2
Repositories: gentoo fauli hardened-dev
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 skype-"
CFLAGS="-O2 -pipe -march=native"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles metadata-transfer news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms sign strict test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/hardened-development"
USE="3dnow 3dnowext X a52 aac acl aiglx alsa amd64 applet artworkextra asf audiofile bash-completion berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cleartype cli console consolekit corefontsX cracklib crypt css cups curl custom-cflags dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs encode evince exif fam fat fbcon fbcondecor ffmpeg foomaticdb ftp gb gcj gdbm gif glitz gpm gsf gtk gtk2 gtkhtml hardened howl iconv icq idn imagemagick imlib ipv6 java javascript jpeg jpeg2k justify kpathsea libnotify libotf lm_sensors lzma mad matroska mime mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule multilib ncurses nforce2 nls noaudio nocardbus nocxx novideo nowebdav nptl nptlonly objc objc++ objc-gc offensive ogg open_perms opengl openmp pam pango passwordsave pax_kernel pcre pdf plotutils pmu png policykit ppds pppd prediction preview-latex print publishers qt-static readline samba sdk selinux session slang smp sna spell sse sse2 ssl startup-notification svg t1lib tcpd theora threads thumbnailing tiff toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev udisks unicode upower urandom usb userlocales vcd videos vorbis wmf wxwidgets wxwindows x264 xcb xface xfce xft xml xosd xpm xv xvid xz zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de" LIRC_DEVICES="atiusb" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Joined: 23 Mar 2011
Posts: 6
Location: Göteborg, Sweden (previously Valencia, Spain)

PostPosted: Tue Nov 20, 2012 3:50 am    Post subject: Reply with quote

Just came around this whilst looking, the solution is disabling the qt_static use flag so the markings will work okey. Another option may be using xattr markings like those made by paxctl-ng.

It may be too late to fix the issue for you, but maybe this helps others looking around.
