1 |
On Thu, Oct 15, 2015 at 10:57:45AM +0200, Tobias Klausmann wrote: |
2 |
> Hi! |
3 |
> |
4 |
> On Wed, 14 Oct 2015, Mike Frysinger wrote: |
5 |
> > anyone opposed to flipping this flag on by default ? |
6 |
> > |
7 |
> > reference: |
8 |
> > https://bugs.gentoo.org/506198 |
9 |
> > https://bugs.gentoo.org/556408 |
10 |
> |
11 |
> No objection, but a bit of a datapoint. I use btrfs on one of my |
12 |
> machines, and that filesystem (apparently) does not support |
13 |
> XATTR_PAX markings. So on every update I get some packages with |
14 |
> message like these: |
15 |
|
16 |
I used to run hardened on btrfs and it worked fine. pax xattrs are in |
17 |
the user namespace (user.pax.flags) which isnt protected (unlike eg. |
18 |
security.*). I dont remember doing anything special to enable xattrs on |
19 |
btrfs, most of the newer FSs have them enabled by default. |
20 |
|
21 |
Can you try this: |
22 |
|
23 |
# getfattr -d -m- /bin/ping |
24 |
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= |
25 |
# setfattr -n user.test -v "foo" ./ping |
26 |
# setfattr -n user.pax.flags -v "me" ./ping |
27 |
# getfattr -d -m- /bin/ping |
28 |
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= |
29 |
user.pax.flags="me" |
30 |
user.test="foo" |
31 |
|
32 |
If this works then something else is causing those messages and we |
33 |
should look into it further. |
34 |
|
35 |
> |
36 |
> >>> Messages generated for package app-emulation/qemu-2.4.0.1 by process 2675 on 20151013-150646 CEST: |
37 |
> |
38 |
> LOG: install |
39 |
> Failed to set XATTR_PAX markings -me qemu-system-aarch64. |
40 |
> Failed to set XATTR_PAX markings -me qemu-system-alpha. |
41 |
> Failed to set XATTR_PAX markings -me qemu-system-i386. |
42 |
> Failed to set XATTR_PAX markings -me qemu-system-x86_64. |
43 |
> Failed to set XATTR_PAX markings -me qemu-aarch64. |
44 |
> Failed to set XATTR_PAX markings -me qemu-alpha. |
45 |
> Failed to set XATTR_PAX markings -me qemu-i386. |
46 |
> Failed to set XATTR_PAX markings -me qemu-x86_64. |
47 |
> |
48 |
> Two things about this: the message is not really useful, unless I |
49 |
> know what -me does. Also, I never requested anything PaX-ish, I |
50 |
> just don't want to to have SUID binaries when I can avoid it. |
51 |
|
52 |
Not that it matters since you dont run hardened, but "m" means "disable |
53 |
mprotext" and "e" means "disable trampoline emulation". |
54 |
|
55 |
-- Jason |
56 |
> |
57 |
> By now the messages are just an annoyance/spam to me, but I |
58 |
> suspect this may be more of a problem for people who have lower |
59 |
> pain thresholds. |
60 |
> |
61 |
> Regards, |
62 |
> Tobias |
63 |
> |
64 |
> -- |
65 |
> "Sendmail is the sort of tool that gave UNIX its bad reputation." |
66 |
> -- _System Performance Tuning_ |
67 |
> |