1 |
On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote: |
2 |
> 2) PT_PAX markings. This puts the flags in an ELF program header. On |
3 |
> Gentoo systems, all binaries are compiled with a PT_PAX header ready to |
4 |
> go because of a patch against binutils [2]. The problem is precompiled |
5 |
> binaries which lack a PT_PAX header and cannot have one added without |
6 |
> breaking. (eg. skype). |
7 |
> |
8 |
> 3) XT_PAX markings. This is the new experimental way of doing the |
9 |
> markings using xattrs for PaX markings. Currently, I'm using the name |
10 |
> space "user.pax" so as to allow users to mark their own binaries, but |
11 |
> this may change to "security.pax" depending on what direction upstream |
12 |
> (ie pipacs) wants to go. The advantage here is that the ELF binary is |
13 |
> not mangled in any way since the xattrs live in the inodes not the |
14 |
> blocks. The disadvantage is that xattrs is not supported on all |
15 |
> filesystems and in all our utilities we need for portage to work. I'm |
16 |
> working to get xattrs supported where we need it. This will also help |
17 |
> with supporting other features like ACL and CAPS. To this end: |
18 |
|
19 |
i happily look forward to the time where we can deprecate PT_PAX support in |
20 |
binutils. it is, by far, the largest thorn in my side when it comes to |
21 |
stabilization and false positive test failures in binutils. |
22 |
|
23 |
> a) There is a patch against tar to support xattrs based on a Fedora's |
24 |
> patch. [3] |
25 |
|
26 |
sorry, now that i know this is a bit more important than "i've been playing |
27 |
with this stuff", i'll try and get to it faster |
28 |
-mike |