[wip] nodejs: building and paxmarking mksnapshot in preBuild #20727
Conversation
|
@spacekitteh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @gilligan, @vcunat and @FRidh to be potential reviewers. |
|
I do not have the slightest idea what this is about. Could someone elaborate a bit for me? |
|
@gilligan, when building nodejs on a grsec/pax-enabled kernel, one of the steps builds and uses something called "mksnapshot", idk what it does, but it executes runtime-created code. PaX has a feature which prevents writable memory from being executed after program start, unless a flag is set on the binary. This patch first builds the mksnapshot binary, then sets the appropriate flag, and continues with the rest of the build. |
| @@ -48,6 +48,9 @@ in | |||
| preBuild = optionalString stdenv.isDarwin '' | |||
| sed -i -e "s|tr1/type_traits|type_traits|g" \ | |||
| -e "s|std::tr1|std|" src/util.h | |||
| '' + '' | |||
| make -j${NIX_BUILD_CORES} -l${NIX_BUILD_CORES} -C $out mksnapshot | |||
There was a problem hiding this comment.
Is there a principled way to do this? Like, properly calling make? (Also, undefined vars. I gotta change this to the nix vars.)
There was a problem hiding this comment.
Apparently I need to include makeFlags.
There was a problem hiding this comment.
I don't think there's a way, except to copy and edit that line from stdenv or similar.
There was a problem hiding this comment.
Yeah, that's what I was doing. Dangit.
|
Can anyone fix this by any chance? I don't have the time currently and it's stopping me from upgrading my system :( |
|
Turns out it's v8 that has to be paxmarked, not nodejs. |
Motivation for this change
Can't build on grsec kernels 'cus MPROTECT violation for mksnapshot.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)