purpose of paxctl?

[defunctzombie]

Wondering what the purpose of the paxctl -cm line is in the installation.

[flitbit]

Alpine applies grsecurity patches, these settings enable nodejs to execute arbitrary code which would otherwise not be allowed on the OS... kinda explained here: https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js

[mhart]

Yeah, so the nodejs package on alpine used to just use paxctl -cm, see here: http://git.alpinelinux.org/cgit/aports/tree/main/nodejs/APKBUILD?id=75cc781209536288b4522d523e2575c184312869

They then switched to using paxmark in this commit: http://git.alpinelinux.org/cgit/aports/tree/main/nodejs/APKBUILD?id=47db907cdf7ac0669d2729f9aa146dcfdbf76a82

paxmark is a script that invokes paxctl, and I tried to find out from the committer of that, Timo Teräs, what the difference was, and why they switched to it, but never got a reply. The problem with that paxmark command is it increases the size of the binary quite substantially, so I just stuck with paxctl (and haven't had any issues with it thus far).

I'd love to hear some more official guidance on this, but it's been hard to come by information on it – thanks for that link @flitbit

I'm gonna close this issue, but feel free to keep discussing and I can reopen if there's an actual issue to be resolved.

[defunctzombie]

Thanks for the info!

[ghost]

Has paxctl been removed?

[tallero]

Catching a paxmark dependency while adding openjdk8 with pmbootstrap.