64 Bit Gentoo with Docker and grsecurity/PaX
This section should document the steps necessary to setup a build environment for FirefoxOS on a Gentoo Linux system. It will include the steps that I had to take to get a working build of Aries-L on my hardened Gentoo.
Set up Docker
In order to use Docker on hardened Gentoo with grsecurity, one must first disable some restrictions, that for example prohibit mounting inside a chroot. Running the following commands, allowed me to pull a docker image and run it:
VALUE=0 echo $VALUE > /proc/sys/kernel/grsecurity/chroot_deny_mknod echo $VALUE > /proc/sys/kernel/grsecurity/chroot_deny_unix echo $VALUE > /proc/sys/kernel/grsecurity/chroot_deny_chmod
With those settings disabled, we can now pull a Ubuntu image from the Docker repositories:
docker pull ubuntu:14.04
I decided to go with a Ubuntu 14.04 image which allows us to follow the instructions on the MDN for building on Ubuntu 14.04. Once the image is loaded, it should be visible by running:
In order to start a container with the Ubuntu image, spawn a bash by running:
docker run -i -t ubuntu:14.04 /bin/bash
If you are running Docker with the devicemapper plugin (like I do) then your container will only have 10 GB of storage which won't be sufficient enough to hold the entire FirefoxOS source tree. Which requires us to increase the disk space for the container. I found a good article online on how to do so here. To summarize I will write down the key steps in this section, but if you would like to have a better understanding of it, please follow the link above.
df -h inside the container, one will see this:
root@76f2e0c59e39:/# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/docker-253:5-3801090-76f2e0c59e39df8e678f397b709daf2a9b0c8bbcbab4169e08432ff24be7d81b 9.8G 231M 9.0G 3% / ...
Unless you have changed the default pool size of Docker (explained in the article), you should have 100 GB of storage to spare for containers. I personally use 50 GB for my container so re-sizing the default pool size shouldn't be necessary, unless your desired amount of containers would exceed that amount.
dmsetup tool, we can inspect the volume table:
# dmsetup table docker-253:5-3801090-76f2e0c59e39df8e678f397b709daf2a9b0c8bbcbab4169e08432ff24be7d81b 0 20971520 thin 253:6 22
Where the second number denotes the size of the volume, the number displayed corresponds to 10 GB. Since we want it to be 50 GB, we will have to overwrite the volume table:
# echo 0 104857600 thin 253:6 22 | dmsetup load docker-253:5-3801090-76f2e0c59e39df8e678f397b709daf2a9b0c8bbcbab4169e08432ff24be7d81b # dmsetup resume docker-253:5-3801090-76f2e0c59e39df8e678f397b709daf2a9b0c8bbcbab4169e08432ff24be7d81b
Of course you should only replace the size and leave the rest as is, which might differ from the above example.
Once this step is completed, all we have to do is re-size the filesystem and then running
df -h will show that we have 50G of storage.
Using resize2fs, the filesystem will be re-sized:
# resize2fs /dev/mapper/docker-253:5-3801090-76f2e0c59e39df8e678f397b709daf2a9b0c8bbcbab4169e08432ff24be7d81b
Getting the code
Now that the storage problem is resolved, follow the Ubuntu 14.04 instructions on MDN. Once you have all necessary libraries installed, pull the source from https://github.com/mozilla-b2g/B2G and run:
user@26bfa5046a14:~$ ./config.sh <device>
with your desired device name (I used aries-l, also notice I created a new user so that I don't work with the root user).
Fixing build failure
./config.sh has successfully pulled the source code, running
./build.sh will result with xpcshell being terminated on systems running with PaX enabled and therefore the build process with fail.
This is due to the fact that xpcshell has RWX memory pages, which means the memory page is both writable and executable (also readable) which isn't allowed by PaX unless explicitly allowed for a given binary.
We can fix this problem by using paxctl to disable the WX check for xpcshell. First we have to create a PaX flag header:
user@26bfa5046a14:~/B2G-aries-l$ paxctl -C gaia/b2g_sdk/*/b2g/xpcshell
and then we have to disable the check:
user@26bfa5046a14:~/B2G-aries-l$ paxctl -m gaia/b2g_sdk/*/b2g/xpcshell
Now the flags for xpcshell are:
user@26bfa5046a14:~/B2G-aries-l$ paxctl -v gaia/b2g_sdk/*/b2g/xpcshell PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <email@example.com> - PaX flags: -----m------ [gaia/b2g_sdk/39.0a1-2015-03-05-16-02-02/b2g/xpcshell] MPROTECT is disabled
After setting the correct PaX flags for xpcshell, I was able to build Aries-L inside my docker container.