1 |
On 10/22/2013 07:49 PM, Rick "Zero_Chaos" Farina wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> On 10/22/2013 01:56 PM, Anthony G. Basile wrote: |
6 |
>> On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
7 |
>>> -----BEGIN PGP SIGNED MESSAGE----- |
8 |
>>> Hash: SHA1 |
9 |
>>> |
10 |
>>> On 10/21/2013 03:00 PM, Magnus Granberg wrote: |
11 |
>>>> Agenda |
12 |
>>>> 1.0 New Devloper |
13 |
>>>> 2.0 Toolchain |
14 |
>>>> 3.0 Kernel/Grsec/Pax |
15 |
>>>> 3.1 Use pax_kernel |
16 |
>>> The USE=pax_kernel is used for two reasons. One reason is XYZ needs to |
17 |
>>> be done or pax kills the build/test. The second reason is XYZ needs to |
18 |
>>> be done to build against a hardened kernel. |
19 |
>> It is wrong to build anything against the kernel api except as defined |
20 |
>> in /usr/include/linux, hardened or not. We have lots of ebuild which |
21 |
>> look at the kernel source tree in /usr/src/linux and build against it. |
22 |
>> These are broken. The kernel source tree exposes many internal |
23 |
>> structures which are subject to change without notice, not the least of |
24 |
>> which afflicted iptables for the longest time. |
25 |
>> |
26 |
>> By extension, no ebuild should build against a hardened kernel source |
27 |
>> tree. USE=pax_kernel should never mean "XYZ needs to be done to build |
28 |
>> against a hardened kernel". It should only be used to mean "the ELFs |
29 |
>> provided by this package *may* be run under a kernel with pax memory |
30 |
>> protection enforced." If its a question of an out of source tree |
31 |
>> kernel module being built and requiring a patch, eg constification, then |
32 |
>> some other solution needs to be found. |
33 |
>> |
34 |
>> What ebuilds are we talking about here that fit the later category? |
35 |
>> |
36 |
> Kernel modules such as nvidia-drivers, which I'm confident are allowed |
37 |
> to build against the kernel sources. |
38 |
> |
39 |
> - -Zero |
40 |
> |
41 |
|
42 |
Out of source tree kernel modules can (and often must) build against |
43 |
/usr/src/linux. My comments were about userland. |
44 |
|
45 |
Anyhow, back to the original issue, can't some local use flag be used |
46 |
here to say apply the constify patch? We don't want to polute the |
47 |
meaning of USE=pax_kernel. |
48 |
|
49 |
-- |
50 |
Anthony G. Basile, Ph.D. |
51 |
Gentoo Linux Developer [Hardened] |
52 |
E-Mail : blueness@g.o |
53 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
54 |
GnuPG ID : F52D4BBA |