A recent 10.2-STABLE no longer builds on a no-exec /usr/src file system

Mark Martinec Mark.Martinec+freebsd at ijs.si
Fri Jan 15 02:58:22 UTC 2016 

On 2016-01-14 23:13, Bryan Drewery wrote:
> Where / What is the error?
> 
> The only example here was fixed in November.

Here is how a fresh svn checkout on a 10-stable
fails in make buildworld when /usr/src is noexec :


CC='cc ' mkdep -f .depend.getprotoent_test -a    
-I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd 
-I/usr/src/contrib/netbsd-tests -std=gnu99   
/usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c
echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a  
/usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >> 
.depend.getprotoent_test
(cd /usr/src/lib/libc/tests/net &&  NO_SUBDIR=1 make -f 
/usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS=  
PROG=ether_aton_test  DEPENDFILE=.depend.ether_aton_test 
.MAKE.DEPENDFILE=.depend.ether_aton_test   depend)
/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr 
/usr/src/sys/net/if_ethersubr.c aton_ether_subr.c
make[7]: exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr) 
failed (Permission denied)
*** Error code 1

Stop.
make[7]: stopped in /usr/src/lib/libc/tests/net
*** Error code 1

Stop.
make[6]: stopped in /usr/src/lib/libc/tests/net
*** Error code 1

Stop.
make[5]: stopped in /usr/src/lib/libc/tests
*** Error code 1

Stop.
make[4]: stopped in /usr/src/lib/libc
*** Error code 1

Stop.
make[3]: stopped in /usr/src/lib
*** Error code 1
[...]


The net/gen_ether_subr looks like the same culprit as reported
in 2015-11-26.

Actually ... it seems that taking out the WITH_TESTS="yes" from
/etc/make.conf avoids the problem - although this was not necessary
in 10.2-RELEASE, as far as I can tell.


   Mark



> On 1/14/2016 7:42 AM, Mark Martinec wrote:
>> Prompted by recent security advisories I did a 'make buildworld'
>> on a fresh svn checkout, only to find out that it seems the 'exec'
>> mount flag on /usr/src is still required for a successful build.
>> 
>> This wasn't so for 10.2, and I hope it won't become a requirement
>> in 10.3 - or at least it should be clearly documented in release 
>> notes.
>> 
>>   Mark
>> 
>> 
>> On 2015-12-07 16:35, Mark Martinec wrote:
>>> So, is this a new state of affairs that /usr/src file system
>>> needs to be mounted exec in order for buildworld to succeed,
>>> or is this an unintended change and I should file a bug report?
>>> 
>>>   Mark
>>> 
>>> 
>>> On 2015-11-26 19:44, Miroslav Lachman wrote:
>>>> Mark Martinec wrote on 11/26/2015 19:31:
>>>>> Up to about a week ago building world on FreeBSD 10.2-STABLE went
>>>>> just fine. Today after svn update the build fails:
>>>>> 
>>>>> 
>>>>> # make buildworld
>>>>> [...]
>>>>> 
>>>>> CC='cc ' mkdep -f .depend.getprotoent_test -a
>>>>> -I/usr/src/lib/libc/tests/net -I/usr/src/lib/libnetbsd
>>>>> -I/usr/src/contrib/netbsd-tests -std=gnu99
>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/t_getprotoent.c
>>>>> echo getprotoent_test: /usr/obj/usr/src/tmp/usr/lib/libc.a
>>>>> /usr/obj/usr/src/tmp/usr/lib/private/libatf-c.a >>
>>>>> .depend.getprotoent_test
>>>>> (cd /usr/src/lib/libc/tests/net && make -f
>>>>> /usr/src/lib/libc/tests/net/Makefile _RECURSING_PROGS=  SUBDIR=
>>>>> PROG=ether_aton_test  DEPENDFILE=.depend.ether_aton_test
>>>>> .MAKE.DEPENDFILE=.depend.ether_aton_test   depend)
>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>> /usr/src/sys/net/if_ethersubr.c aton_ether_subr.c
>>>>> make[7]:
>>>>> exec(/usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr)
>>>>> failed (Permission denied)
>>>>> *** Error code 1
>>>>> 
>>>>> Stop.
>>>>> make[7]: stopped in /usr/src/lib/libc/tests/net
>>>>> *** Error code 1
>>>>> 
>>>>> 
>>>>> It turns out that our file system /usr/src had an "exec" flag
>>>>> turned off, so now running a command:
>>>>>    /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>> fails with "Permission denied".
>>>>> 
>>>>> It would be valuable if building a system on an exec-protected
>>>>> src file system would continue to be possible.
>>>>> 
>>>>> Not sure if the
>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>> is the only such new command breaking the build. Anyway, a simple
>>>>> workaround is to run shell from a command line instead of as a
>>>>> shebang, i.e.:
>>>>> 
>>>>>    # /bin/sh 
>>>>> /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>>> 
>>>>> instead of:
>>>>> 
>>>>>    # /usr/src/contrib/netbsd-tests/lib/libc/net/gen_ether_subr
>>>> 
>>>> I was puzzled by similar thing years ago. I was using /var/db and 
>>>> /tmp
>>>> mounted with noexec. And then there was some changes. Ports need
>>>> /var/db with exec because of some script in /var/db/pkg and /tmp 
>>>> must
>>>> have exec too for buildworld or installworld (I don't remember it
>>>> well, now I always do mount -u -o current,exec /tmp before build +
>>>> install world and kernel)
>>>> 
>>>> Anyway - it would be better to not have these partitions mounted 
>>>> with
>>>> exec.
>>>>

More information about the freebsd-stable mailing list