RSS 
Lisp (SBCL) on Hardened Gentoo
Tags: Emacs, Gentoo, Guide, Linux, Lisp, Security
My server, mindstab.net, runs Hardened Gentoo. I like it. It provides nice features from grsecurity and PaX like memory randomization, non executable writable memory, etc. However, it really doesn't get along so well with Lisp. Lisp in general seems to like executable and writable memory, and SBCL at least also doesn't like randomized memory. So it took a bit of work to get Lisp onto my server.
Approach 1: Failure
I spent a bunch of time trying to patch the build process in portage to coax SBCL into building. First, of course, I used gcc-config to disable the hardened gcc profile, and just use the vanilla one. Then I created a suid root shell script to call "paxctl -m -p -r -e $1" so that the sandboxed build process could disable PaX features on the SBCL binaries. I added the command to the ebuild, and created a patch to insert the command into SBCL's build process. The process goes like this, portage download's the SBCL source and a pre-compiled SBCL binary. The patched ebuild then calls my suid root script which disables PaX on the pre-compiled binary so it actually runs (as opposed to crashing under PaX) and then a new SBCL binary is built from the source and the pre-compiled binary builds a core file from the SBCL lisp source. The patched SBCL make.sh then again calls the suid root script on the new binary, so it will run. Then it should load the new core and recompile the system for itself. Sadly, while it runs at least, it chokes on the core file and hangs while using 100% cpu. I couldn't get past this so I eventually gave up. If anyone has any suggestions that'd be great.
Approach 2: Success
So the actually solution was as follows: Download the most recent precompiled SBCL binary from the website (1.0.15 for x86), run "paxctl -p -e -m -r -x -s " on src/runtime/sbcl (to cover all the bases). Then run "sh install.sh" to install SBCL to /usr/local. That's it.
The problem with this is you can't emerge lisp packages in portage, you have to install them by hand (unless maybe you want to fake inject the package into the portage database).
I downloaded a copy of slime, untarred it and popped it in my .emacs and I had a full lisp environment ready to go, and on my hardened machine no less. Not so bad.
June 25th, 2008 at 7:28 am
There’s a more advanced option that might work automatically. You can use files in /etc/portage/env/$CATEGORY/$PN to do things in a package-specific manner. These are sourced by /usr/portage/profiles/base/profile.bashrc. You can use ebuild phase hooks to decide when to act, and $D is the temporary install directory. You’d probably want to do it right after src_install.
June 25th, 2008 at 7:29 am
Woops, the link to phase hooks vanished: http://dev.gentoo.org/~zmedico/portage/doc/portage.html#config-bashrc-ebuild-phase-hooks
June 27th, 2008 at 6:54 pm
Cool, thanks. That’ll help on the Gentoo integration side, but I still need to figure put why the cores that the binary SBCL generates are causing hte compiled SBCL to stall
December 27th, 2008 at 3:38 pm
Thank you for dirty hack #2, it just works and I will make great use of it =)
I read on Hardened mailing list that they had not heard from users wishing Lisp support, I think lisp users are quite busy and they probably use this binary-only fix (not so gentoo-ish..) or maybe some other platform to deploy their software (like ubuntu+grsec or such), I think hardened should not dismiss so lightly the small but strong lispers community. Yes they are silent, but some of them are quite influential after all.
December 27th, 2008 at 6:12 pm
ha you are most welcome. I’m always glad when I can be of use.