| 1 |
On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote: |
| 2 |
> 2) PT_PAX markings. This puts the flags in an ELF program header. On |
| 3 |
> Gentoo systems, all binaries are compiled with a PT_PAX header ready to |
| 4 |
> go because of a patch against binutils [2]. The problem is precompiled |
| 5 |
> binaries which lack a PT_PAX header and cannot have one added without |
| 6 |
> breaking. (eg. skype). |
| 7 |
> |
| 8 |
> 3) XT_PAX markings. This is the new experimental way of doing the |
| 9 |
> markings using xattrs for PaX markings. Currently, I'm using the name |
| 10 |
> space "user.pax" so as to allow users to mark their own binaries, but |
| 11 |
> this may change to "security.pax" depending on what direction upstream |
| 12 |
> (ie pipacs) wants to go. The advantage here is that the ELF binary is |
| 13 |
> not mangled in any way since the xattrs live in the inodes not the |
| 14 |
> blocks. The disadvantage is that xattrs is not supported on all |
| 15 |
> filesystems and in all our utilities we need for portage to work. I'm |
| 16 |
> working to get xattrs supported where we need it. This will also help |
| 17 |
> with supporting other features like ACL and CAPS. To this end: |
| 18 |
|
| 19 |
i happily look forward to the time where we can deprecate PT_PAX support in |
| 20 |
binutils. it is, by far, the largest thorn in my side when it comes to |
| 21 |
stabilization and false positive test failures in binutils. |
| 22 |
|
| 23 |
> a) There is a patch against tar to support xattrs based on a Fedora's |
| 24 |
> patch. [3] |
| 25 |
|
| 26 |
sorry, now that i know this is a bit more important than "i've been playing |
| 27 |
with this stuff", i'll try and get to it faster |
| 28 |
-mike |
Archives