USE=hardened breaks XOrg server

[setagllib]

Is this normal? I have two Gentoo rigs here, both with hardened in USE, and on neither of them did the XOrg server work (a duplicate symbol, __i686.get_pc_thunk.bx, in libbitmap.a), but removing hardened allowed one end to work (the other needs every drop of security it can get).

Does this only happen if you compile xorg-x11 with hardened, or do glibc and/or gcc affect it? I still want more security (short of running NetBSD again, which I've found to be too inconvenient without nvidia drivers) but living without X these days is pretty tough.

By the way, this is a great set of forums, I can see why Gentoo gets all the attention and progress it does. Keep it up all.

[curtis119]

There is a well known bug in the module loader that is causing this problem on hardened systems (if this is the same problem). There are several workarounds for it described in the bug report:

http://bugs.gentoo.org/show_bug.cgi?id=43177

Basically it boils down to X module loader not being able to be built with -pie and -pic (the bug report is looong so I may be wrong about these details). You can manually patch xorg-x11-6.8.0 to make it work but the latest version has this fix already included. xorg-x11-6.8.0-r4. This version is hard masked at the moment but *should* work. It also requires the masked version of opengl-update.
To emerge a hard masked package put it in your /etc/portage/package.unmask file(if you don't have this file just create it):

Code: Select all

=x11-base/opengl-update-2.0_pre1
=xorg-x11-6.8.0-r4

and then

Code: Select all

emerge =x11-base/xorg-x11-6.8.0-r4

This should allow use of the nvidia driver.
-------

Another option is to build xorg statically, this way you don't have to use the hard masked version of xorg which is ALWAYS preferable.

Code: Select all

USE="static" emerge xorg-x11

I'm not sure if this will preclude using the nvidia driver or not but it's worth a try.

The official how to for hardened xorg is here:
http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml

you can get more help on the irc channel on freenode (www.freenode.org): #gentoo-hardened

The devs there should be able to explain this in more detail and confirm/refute what I have stated here.

Good Luck!

[dbw6993]

Is anyone else experiencing the libbitmap.a duplicate symbols issue who is NOT running a hardened setup? I noticed gcc was included in my last world update, but I have confirmed it was not emerged with the hardened USE flag. Has something in gcc changed that is causing this Xorg issue for everyone?

[tuxmin]

The main point of the hardened profile is that your toolchain (binutils, gcc, glibc) provides transparent support for stack smashing protection (SSP), position independant code (PIC) and position independant executables (PIE).
There are some apps that won't work with this, e.g. xorg. But I thought the hardened profile takes care of this.
You might want to recompile your whole system using the hardened profile and then use chpax to disable all PaX features on xorg if you use a grsec kernel.
Even better, emerge "rc-update -a chpax" and let Gentoo do the work for you.

Read here for details.


Hth, Alex!!!

[saber850]

Is anyone else experiencing the libbitmap.a duplicate symbols issue who is NOT running a hardened setup?

I am running into this now. xorg-x11-6.8.2-r2 was available some time ago (via emerge -up world) so I emerged it. But since I haven't rebooted my machine until today (thanks to my baby's curiosity w/ the reset button), I'm experiencing this error for the first time now.

I am not running the hardened setup (of gentoo, xorg, nor gcc).
My CFLAGS does contain "-DPIC -fPIC" (among other things).

The snippet from /var/log/Xorg.0.log is:

Code: Select all

(II) Loader running on linux
(II) LoadModule: "bitmap"
(II) Loading /usr/lib/modules/fonts/libbitmap.a
Duplicate symbol __i686.get_pc_thunk.bx in /usr/lib/modules/fonts/libbitmap.a:bitmapmod.o
Also defined in /usr/lib/modules/fonts/libbitmap.a

Fatal server error:
Module load failure

I'd appreciate any suggestions.

[neves]

I don't use hardened and after emergeing the last version of xorg, it started to fail with this error. My solution was to recompile xorg without the -fPIC flag.

[saber850]

I don't use hardened and after emergeing the last version of xorg, it started to fail with this error. My solution was to recompile xorg without the -fPIC flag.

Thanks for the response.
I followed another suggestion which was to emerge with USE="dlloader" and that seemed to work.

[kramerkeller]

guys I have my CFLAGS set to -02 -march=pentium -fomit-frame-pointer

I don't have the fPIC flag, but when reemerging xorg (I am doing it with USE static? Hoping) I can see on the screen as it is scrolling down forever - a number of times I can see fPIC. So I don't know if that is my deal. I followed directions in gentoo handbook for new use flags. I did the newuse thing, dep clean, and dev-update or sometihng. THe point is I thought I was basically recompiling without the use flag hardened and I would be able to load the module finally without the above error you guys and I have been getting. However, still no go. I am HUGE newb. I need absolute direction - like what commands to type in. Gentoo has been great I can do tons of stuff, but my x server is down. (never had it working) If any of you can help me out that would be great. It looks like many of you have had the same frustration. Oh and what woudl the dllloader do? Should I do that even if I don't have hardened. Can I remove any trace ofr hardened. And is fPiC on mine even though its not any of my flags.

[saber850]

What error(s) are you getting in /var/log/Xorg.0.log?
Did you try recompiling xorg-x11 with USE="dlloader"? Note that this is on the cmd line so it's used in combination to whatever you have in /etc/make.conf. ie:

Code: Select all

~ $ USE="dlloader" emerge -av xorg-x11

Also, after re-compiling xorg, you should re-compile nvidia-kernel and nvidia-glx.
And after that, you may have to unload & reload the nvidia module via modprobe (or simply reboot).
I re-compiled xorg-x11 several times trying to fix this problem simply because my older nvidia driver was still loaded.

[kramerkeller]

I did the above USE="static" emerge xorg-x11. I had another post with 63 replys and over 1800 views and here is where I found the answer. LOL, I am using the vesa driver. I will do nvidia later, but now I am so happy after waiting 2 weeks. I have learned so much. It works, I am writing from KDe in Konqueror, I have yet to get firefox and stuff. What does USE="static" emerge xorg-x11 do? I seemed to fix everything. SOmetimes my monitor does something funny, but after I use nvidia and get everything set better in org file WHICH I NOW KNOW VERY WELL I am sure things will be fine. SO thanks and any explanation on USE="static" emerge xorg-x11 would be great.

[saber850]

I'm glad it's working for you.

What does USE="static" emerge xorg-x11 do?

That causes X to be linked statically--that is, not to dynamically load shared objects.
The nVidia driver should be easy; I never had a problem w/ it.

Good luck!

[PGDubbin]

I'm having this same issue now as well...

how will

Code: Select all

#USE="static" emerge xorg-x11

effect:

Code: Select all

#emerge --update --deep --newuse world
#emerge -p --depclean
#revdep-rebuild

....or will it not effect anything?

The reason I ask is because I'm working on a fresh gentoo install, I modifed all my USE flags, then checked the Handbook for x86 and that's what it suggested to run after the USE flags were defined to actually..well.."use" them.

[saber850]

I'm having this same issue now as well...

That's odd; I haven't had the issue in a long time. I never used USE="static", and I was able to omit USE="dlloader" too. For me, xorg and the nvidia drivers build straight up now.
My USE flags which affect xorg are: bitmap-fonts font-server mmx nls opengl pam sse truetype-fonts type1-fonts xv.
And in particular, xorg-x11 builds w/out static or dlloader.

how will

Code: Select all

#USE="static" emerge xorg-x11

effect:

Code: Select all

#emerge --update --deep --newuse world
#emerge -p --depclean
#revdep-rebuild

....or will it not effect anything?

Not sure if it will affect anything. I'd build the system w/out it and only use it if you have problems.
If you're going to employ USE="static" for xorg-x11, you should put it in /etc/portage/package.use.

[PGDubbin]

Interestingly enough, I emerged with the USE="static" ...and fancy that - I'm replying to this post in fluxbox

when I insert a USE flag into /usr/portage/package.use that USE flag will only effect the package it's listed for, whereas make.conf does it for all packages...is this correct?

also, that file doesn't exist on my system, how i I properly add information to it once I create it?

(I'm learning here...)

[saber850]

Interestingly enough, I emerged with the USE="static" ...and fancy that - I'm replying to this post in fluxbox

Glad to hear it.

when I insert a USE flag into /usr/portage/package.use that USE flag will only effect the package it's listed for, whereas make.conf does it for all packages...is this correct?

Yes. That's one reason it's important to list package-specific flags in /etc/portage/package.use:
1. You do not want to specify certain USE flags for the entire system. ('static' is one of them.)
2. Specifying it on the command line (ie. USE="static" emerge -av xorg-x11) will not be remembered. So if you need (or really want) this USE flag and xorg-x11 has an update, you'll have to remember to specify the USE flag on the command line each time you build that package. It becomes a PITA--precisely what free software aims to overcome.

also, that file doesn't exist on my system, how i I properly add information to it once I create it?
(I'm learning here...)

Search the emerge man page (man emerge) for some general guidance.
The portage man page describes the files in more detail including syntax and examples.
For your case:

Code: Select all

x11-base/xorg-x11 static

[PGDubbin]

done and done...

thanks a bunch...I've ran gentoo now for like 3 years or so...so I'm *somewhat* familure with navigating my way around, but i decided to rebuild my system from the ground up, bootstrap the install, and start running it a bit more streamline. Needless to say, its taking forever to get back running 100%, but, my computer is hauling some major ass vs before, and I've probably learned more in the past 7 days then all of last year

[homry]

That's odd; I haven't had the issue in a long time.

just as an information from another user. this problem seems to exist further on. i just did an

Code: Select all

emerge --newuse world

for the first time with the "hardened"flag and got this error for the first time.

I never used USE="static", and I was able to omit USE="dlloader" too.

i will try, due to a couple of positive responses, to recompile xorg with USE=static, but i would be interested in a statement what is better to use. i do not have enough knowledge or experience to decide what is better to use. static or dlloader?

homry

[homry]

unfortunetly, nothing help. neither USE=static, nor USE=dlload . with dlload i get the same error message and with static i get no error message, but the screen remains black and nothing works anymore except pulling the plug. i will try re-emerging xorg now with USE=-hardened =>/edit: ....which has no effect at all. xorg do not care about that flag. i will have to remove the hardened-flag from make.conf to get a working X at least.

homry

[saber850]

i will try, due to a couple of positive responses, to recompile xorg with USE=static, but i would be interested in a statement what is better to use. i do not have enough knowledge or experience to decide what is better to use. static or dlloader?

Unless you have a specific need or problem, it's ideal not to use either static or dlloader.
I'm not sure which version you're using which is causing these problems. I'm using xorg-x11-6.8.2-r6 if it helps.
Here's the verbose output from emerge -pv xorg-x11:

Code: Select all

[ebuild   R   ] x11-base/xorg-x11-6.8.2-r6  -3dfx -3dnow +bitmap-fonts -cjk -debug -dlloader -dmx -doc +font-server -insecure-drivers -ipv6 -minimal +mmx +nls -nocxx +opengl +pam -sdk +sse -static +truetype-fonts +type1-fonts (-uclibc) -xprint +xv 0 kB

[homry]

as i said in my first posting, since i used the hardened-flag my x-server won't start anymore. so i searched the board and found this thread. so i did have a specific reason or problem. the problem is that neither the static-flag nor the dlloader-flag helped. so i ended up re-emergeing without the hardened-flag my glibc,gcc, etc. and re-emerged xorg. it is working now, but without the hardened-flag of course.

homry

[ali3nx]

USE="hardened" with xorg requires both pic and dlloader flags or hardening will not work properly. All three flags must be set globally in make.conf and any and all affected applications recompiled so pic code is built. After which everything should work just peachy. I've played quake4 on hardened amd64 gentoo and the framerates are still very respectable.

[saber850]

USE="hardened" with xorg requires both pic and dlloader flags or hardening will not work properly. All three flags must be set globally in make.conf and any and all affected applications recompiled so pic code is built. After which everything should work just peachy.

~18 months ago I enabled the PIC flag and rebuilt one of my Gentoo systems. With the PIC flag enabled, I would periodically run into build problems w/ some packages. After ~ 3-4 months of problems (albeit relatively infrequent) which were caused by the PIC flag (as suggested on Gentoo's forums and confirmed by a rebuild), I followed several suggestions to leave the PIC flag out. None of my Gentoo systems currently use the PIC flag.
Although this experience was a while ago, the popular vote was to stay away from enabling the PIC flag globally.