{"id":6,"date":"2006-10-20T07:54:44","date_gmt":"2006-10-14T05:54:16","guid":{"rendered":""},"modified":"2017-03-07T16:01:55","modified_gmt":"2017-03-07T16:01:55","slug":"hardened-and-xen-tools","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/aross\/2006\/10\/20\/hardened-and-xen-tools\/","title":{"rendered":"Danger, Will Robinson! Hardened and xen-tools-3.0.2-r4"},"content":{"rendered":"<p>The motive for my <a href=\"http:\/\/planet.gentoo.org\/developers\/aross\/2006\/10\/07\/elog-no-excuses\">previous post<\/a> is about to be revealed &#8211; I&#8217;ve just committed <a href=\"http:\/\/sources.gentoo.org\/viewcvs.py\/gentoo-x86\/app-emulation\/xen-tools\/ChangeLog?rev=1.18&amp;view=markup\">app-emulation\/xen-tools-3.0.2-r4<\/a>, as <code>~x86<\/code>\/<code>~amd64<\/code>, and hardened users should heed the ebuild&#8217;s warning:<\/p>\n<blockquote><p>\nxend may not work when python is built with stack smashing protection (ssp). If &#8216;xm create&#8217; fails with &#8216;&lt;ProtocolError for \/RPC2: -1 &gt;&#8217;, see bug #141866\n<\/p><\/blockquote>\n<p>While -r4 includes fixes for <a href=\"http:\/\/bugs.gentoo.org\/buglist.cgi?query_format=advanced&amp;short_desc_type=allwordssubstr&amp;short_desc=&amp;long_desc_type=substring&amp;long_desc=&amp;bug_file_loc_type=allwordssubstr&amp;bug_file_loc=&amp;status_whiteboard_type=allwordssubstr&amp;status_whiteboard=&amp;keywords_type=allwords&amp;keywords=&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;bug_status=RESOLVED&amp;emailtype1=exact&amp;email1=&amp;emailtype2=substring&amp;email2=&amp;bugidtype=include&amp;bug_id=137137%2C148628%2C149138%2C151014%2C144057%2C143999%2C148486%2C147876%2151014&amp;chfieldfrom=&amp;chfieldto=Now&amp;chfieldvalue=&amp;cmdtype=doit&amp;order=Reuse+same+sort+as+last+time&amp;field0-0-0=bug_id&amp;type0-0-0=anyexact&amp;value0-0-0=\">quite a few bugs<\/a>, for those using a hardened profile the biggest change is a relaxation of the restriction I introduced in -r3 to combat <a href=\"http:\/\/bugs.gentoo.org\/show_bug.cgi?id=141866\">bug #141866 (RPC Protocol Error with xen-tools and hardened profile)<\/a>.<\/p>\n<p>In response to this bug I made -r3 die if python was built with <a href=\"http:\/\/www.research.ibm.com\/trl\/projects\/security\/ssp\/\">SSP<\/a>, since it appeared that everyone using xen with a hardened profile was having the same problem. However, after -r3 hit the tree <a href=\"http:\/\/bugs.gentoo.org\/show_bug.cgi?id=141866#c5\">some<\/a> <a href=\"http:\/\/bugs.gentoo.org\/show_bug.cgi?id=141866#c8\">users<\/a> <a href=\"http:\/\/bugs.gentoo.org\/show_bug.cgi?id=141866#c9\">reported<\/a> that they were unaffected by this problem, hence the relaxation in -r4.<\/p>\n<p>If you&#8217;re using xen on a hardened system please test xen-tools-3.0.2-r4 and let me know (via the <a href=\"http:\/\/bugs.gentoo.org\/show_bug.cgi?id=141866\">above-mentioned bug<\/a>) if your &#8216;xm create&#8217; fails with &#8216;&lt;ProtocolError for \/RPC2: -1 &gt;&#8217; or not.<\/p>\n<p><a href=\"http:\/\/www.technorati.com\/\">Technorati<\/a> tags: <a href=\"http:\/\/technorati.com\/tag\/gentoo\" rel=\"tag\">gentoo<\/a>, <a href=\"http:\/\/technorati.com\/tag\/hardened\" rel=\"tag\">hardened<\/a>, <a href=\"http:\/\/technorati.com\/tag\/xen\" rel=\"tag\">xen<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The motive for my previous post is about to be revealed &#8211; I&#8217;ve just committed app-emulation\/xen-tools-3.0.2-r4, as ~x86\/~amd64, and hardened users should heed the ebuild&#8217;s warning: xend may not work when python is built with stack smashing protection (ssp). If &#8216;xm create&#8217; fails with &#8216;&lt;ProtocolError for \/RPC2: -1 &gt;&#8217;, see bug #141866 While -r4 includes &hellip; <a href=\"https:\/\/blogs.gentoo.org\/aross\/2006\/10\/20\/hardened-and-xen-tools\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Danger, Will Robinson! Hardened and xen-tools-3.0.2-r4<\/span><\/a><\/p>\n","protected":false},"author":52,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,4],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/posts\/6"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":8,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/posts\/6\/revisions\/8"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/aross\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}