From 29fc2f5a1fa7345707bf59514cdba58eb5a9b9c1 Mon Sep 17 00:00:00 2001 From: Wang Xuerui Date: Sat, 30 Dec 2017 17:24:11 +0800 Subject: [PATCH] Allow running on PaX kernels `ruby` needs the PaX MPROTECT flag disabled to run on PaX-enabled systems because of JIT. Mark it as such. --- assets/build/install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/assets/build/install.sh b/assets/build/install.sh index 5c40ab36c..76396d598 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -42,6 +42,11 @@ cd - rm -rf /tmp/re2 DEBIAN_FRONTEND=noninteractive apt-get purge -y --auto-remove checkinstall +# PaX-mark ruby +# Applying the mark late here does make the build usable on PaX kernels, but +# still the build itself must be executed on a non-PaX kernel. It's done here +# only for simplicity. +paxctl -Cm `which ruby${RUBY_VERSION}` # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js paxctl -Cm `which nodejs`