1 |
On Thursday, July 14, 2011 18:52:04 Anthony G. Basile wrote: |
2 |
> 2) The choice of a hardened kernel is made by emergeing |
3 |
> hardened-sources, configuring, compiling, booting. There is no use flag |
4 |
> for this choice per se. That means that virtual/linux-sources would |
5 |
> remove the condition RDEPEND: |
6 |
> |
7 |
> hardened? ( =sys-kernel/hardened-sources-2.6* ) |
8 |
> |
9 |
> and simply replace it with |
10 |
> |
11 |
> =sys-kernel/hardened-sources-2.6* |
12 |
|
13 |
i think this change can be made regardless of any other. the hardened-sources |
14 |
package always provides a kernel, so there is no need to require USE=hardened |
15 |
in order for this to satisfy the virtual. |
16 |
|
17 |
> 3) Since a hardened kernel can be configure with various flavors of |
18 |
> "pax" or "grsec" or "selinux", there should be useflags to reflect |
19 |
> userland needs to conform. There already is a "selinux" flag which is |
20 |
> set by selinux profiles. Currently we don't see a need for a "grsec" |
21 |
> flag, however, there is a need for a "pax" global use flag which we |
22 |
> propose calling "pax_kernel". (If nothing else to distinguish it from |
23 |
> app-arch/pax.) |
24 |
> |
25 |
> Userland binaries which will run under a pax enabled kernel may need |
26 |
> special treatment to run, or else they'll be killed by the kernel. The |
27 |
> best example here is an RWX mmapping. Although the ideal case is to |
28 |
> "fix the code" this is not always feasible and so binaries will still |
29 |
> need markings with paxctl -m. |
30 |
|
31 |
if `paxctl` is installed, then i say always run `paxctl` on the problematic |
32 |
binaries regardless of USE flags. have the hardened-sources package depend on |
33 |
paxctl, and then that takes care of the dependency. |
34 |
-mike |