New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[wip] nodejs: building and paxmarking mksnapshot in preBuild #20727
Conversation
@spacekitteh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @gilligan, @vcunat and @FRidh to be potential reviewers. |
I do not have the slightest idea what this is about. Could someone elaborate a bit for me? |
@gilligan, when building nodejs on a grsec/pax-enabled kernel, one of the steps builds and uses something called "mksnapshot", idk what it does, but it executes runtime-created code. PaX has a feature which prevents writable memory from being executed after program start, unless a flag is set on the binary. This patch first builds the mksnapshot binary, then sets the appropriate flag, and continues with the rest of the build. |
@@ -48,6 +48,9 @@ in | |||
preBuild = optionalString stdenv.isDarwin '' | |||
sed -i -e "s|tr1/type_traits|type_traits|g" \ | |||
-e "s|std::tr1|std|" src/util.h | |||
'' + '' | |||
make -j${NIX_BUILD_CORES} -l${NIX_BUILD_CORES} -C $out mksnapshot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a principled way to do this? Like, properly calling make? (Also, undefined vars. I gotta change this to the nix vars.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently I need to include makeFlags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there's a way, except to copy and edit that line from stdenv or similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's what I was doing. Dangit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can anyone fix this by any chance? I don't have the time currently and it's stopping me from upgrading my system :( |
Turns out it's v8 that has to be paxmarked, not nodejs. |
Motivation for this change
Can't build on grsec kernels 'cus MPROTECT violation for mksnapshot.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)