We’ve discovered why PGI generated binaries trip selinux (enforcing) into generating the message:
error while loading shared libraries: /somedir/somelib.so: cannot restore segment prot
This happens because the GNU_STACK object in the linked code has the E (Execute) flag set. Test this using:
% readelf -W -e BOOT | grep -i gnu_stack
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x8
The reason this happens is explained at http://www.gentoo.org/proj/en/hardened/gnu-stack.xml :
If an assembler source contains no GNU-stack note, the system by default assumes that an executable stack may be required. However, usually if there’s no GNU-stack note, this is simply because the author didn’t include one, rather than the code actually needing an executable stack.
Basically, the PGI compliers (tested with 7.2-3) aren’t including a “.note.GNU-stack” section header in their object files, so the stack is marked executable by default. As a workaround (as noted in the web reference), adding the link flag
We’ve re-linked a fairly large codebase using the noexecstack flag and haven’t had a problem. So the PGI generated code doesn’t seem to need an executable stack.
The real solution would be for PGI to have their compilers emit the “.note.GNU-stack” section in their objects. Could someone check and see if this is still an issue with PGI 8.0 ? (thanks)
I spoke too soon on this subject. The real reason we’re getting this is because on a 32-bit platform, libpgftnrtl.a is only supplied as a static library. Linking this in requires text relocation when ld-linux.so loads the executable for execution. This issue is discussed here:
Using readelf utilities, the static links ended creating objects that required text relocation. In our case we were creating a shared lib that had linked against the libpgftnrtl.a static lib. Example:
113% eu-readelf -d libmystuff.so |grep TEXTREL
114% eu-findtextrel libmystuff.so | sort | uniq
either the file containing the function '__fio_assign' or the file containing the function '__fio_errinit' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_eoferr' or the file containing the function 'fio_src_info' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_fmt_d' or the file containing the function '__fio_fmt_f' is not compiled with -fpic/-fPIC
either the file containing the function '__fio_fmt_f' or the file containing the function '__fio_chk_f' is not compiled with -fpic/-fPIC
<... snip ...>
All the functions indicated come from the static library libftnrtl.a
Is there any possiblity of getting a proper shared-library .so version of this library (for 32-bit)?
Traditionally in 32-bits objects do not need to be compiled with -fpic to be included in shared objects and why we do not ship these version of the libraries. In 64-bits where -fpic is required, we do include -fpic compiled static libraries in the 64-bit “libso” directory.
I have added a feature request (TPR#15422) to have -fpic versions of the PGI 32-bit runtime available in a future release.