| 1 |
On Thu, Oct 15, 2015 at 10:57:45AM +0200, Tobias Klausmann wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Wed, 14 Oct 2015, Mike Frysinger wrote: |
| 5 |
> > anyone opposed to flipping this flag on by default ? |
| 6 |
> > |
| 7 |
> > reference: |
| 8 |
> > https://bugs.gentoo.org/506198 |
| 9 |
> > https://bugs.gentoo.org/556408 |
| 10 |
> |
| 11 |
> No objection, but a bit of a datapoint. I use btrfs on one of my |
| 12 |
> machines, and that filesystem (apparently) does not support |
| 13 |
> XATTR_PAX markings. So on every update I get some packages with |
| 14 |
> message like these: |
| 15 |
|
| 16 |
I used to run hardened on btrfs and it worked fine. pax xattrs are in |
| 17 |
the user namespace (user.pax.flags) which isnt protected (unlike eg. |
| 18 |
security.*). I dont remember doing anything special to enable xattrs on |
| 19 |
btrfs, most of the newer FSs have them enabled by default. |
| 20 |
|
| 21 |
Can you try this: |
| 22 |
|
| 23 |
# getfattr -d -m- /bin/ping |
| 24 |
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= |
| 25 |
# setfattr -n user.test -v "foo" ./ping |
| 26 |
# setfattr -n user.pax.flags -v "me" ./ping |
| 27 |
# getfattr -d -m- /bin/ping |
| 28 |
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= |
| 29 |
user.pax.flags="me" |
| 30 |
user.test="foo" |
| 31 |
|
| 32 |
If this works then something else is causing those messages and we |
| 33 |
should look into it further. |
| 34 |
|
| 35 |
> |
| 36 |
> >>> Messages generated for package app-emulation/qemu-2.4.0.1 by process 2675 on 20151013-150646 CEST: |
| 37 |
> |
| 38 |
> LOG: install |
| 39 |
> Failed to set XATTR_PAX markings -me qemu-system-aarch64. |
| 40 |
> Failed to set XATTR_PAX markings -me qemu-system-alpha. |
| 41 |
> Failed to set XATTR_PAX markings -me qemu-system-i386. |
| 42 |
> Failed to set XATTR_PAX markings -me qemu-system-x86_64. |
| 43 |
> Failed to set XATTR_PAX markings -me qemu-aarch64. |
| 44 |
> Failed to set XATTR_PAX markings -me qemu-alpha. |
| 45 |
> Failed to set XATTR_PAX markings -me qemu-i386. |
| 46 |
> Failed to set XATTR_PAX markings -me qemu-x86_64. |
| 47 |
> |
| 48 |
> Two things about this: the message is not really useful, unless I |
| 49 |
> know what -me does. Also, I never requested anything PaX-ish, I |
| 50 |
> just don't want to to have SUID binaries when I can avoid it. |
| 51 |
|
| 52 |
Not that it matters since you dont run hardened, but "m" means "disable |
| 53 |
mprotext" and "e" means "disable trampoline emulation". |
| 54 |
|
| 55 |
-- Jason |
| 56 |
> |
| 57 |
> By now the messages are just an annoyance/spam to me, but I |
| 58 |
> suspect this may be more of a problem for people who have lower |
| 59 |
> pain thresholds. |
| 60 |
> |
| 61 |
> Regards, |
| 62 |
> Tobias |
| 63 |
> |
| 64 |
> -- |
| 65 |
> "Sendmail is the sort of tool that gave UNIX its bad reputation." |
| 66 |
> -- _System Performance Tuning_ |
| 67 |
> |
Archives