| 1 |
On Thursday, July 14, 2011 18:52:04 Anthony G. Basile wrote: |
| 2 |
> 2) The choice of a hardened kernel is made by emergeing |
| 3 |
> hardened-sources, configuring, compiling, booting. There is no use flag |
| 4 |
> for this choice per se. That means that virtual/linux-sources would |
| 5 |
> remove the condition RDEPEND: |
| 6 |
> |
| 7 |
> hardened? ( =sys-kernel/hardened-sources-2.6* ) |
| 8 |
> |
| 9 |
> and simply replace it with |
| 10 |
> |
| 11 |
> =sys-kernel/hardened-sources-2.6* |
| 12 |
|
| 13 |
i think this change can be made regardless of any other. the hardened-sources |
| 14 |
package always provides a kernel, so there is no need to require USE=hardened |
| 15 |
in order for this to satisfy the virtual. |
| 16 |
|
| 17 |
> 3) Since a hardened kernel can be configure with various flavors of |
| 18 |
> "pax" or "grsec" or "selinux", there should be useflags to reflect |
| 19 |
> userland needs to conform. There already is a "selinux" flag which is |
| 20 |
> set by selinux profiles. Currently we don't see a need for a "grsec" |
| 21 |
> flag, however, there is a need for a "pax" global use flag which we |
| 22 |
> propose calling "pax_kernel". (If nothing else to distinguish it from |
| 23 |
> app-arch/pax.) |
| 24 |
> |
| 25 |
> Userland binaries which will run under a pax enabled kernel may need |
| 26 |
> special treatment to run, or else they'll be killed by the kernel. The |
| 27 |
> best example here is an RWX mmapping. Although the ideal case is to |
| 28 |
> "fix the code" this is not always feasible and so binaries will still |
| 29 |
> need markings with paxctl -m. |
| 30 |
|
| 31 |
if `paxctl` is installed, then i say always run `paxctl` on the problematic |
| 32 |
binaries regardless of USE flags. have the hardened-sources package depend on |
| 33 |
paxctl, and then that takes care of the dependency. |
| 34 |
-mike |
Archives