1 |
I've applied the patch. I have USE=xattr enabled, the kernel has both |
2 |
CONFIG_PAX_XATTR_PAX_FLAGS=y and CONFIG_PAX_PT_PAX_FLAGS=y set, and elfix |
3 |
was emerged with USE="ptpax xtpax" combo (since I'm not brave enough). The |
4 |
only exception from the instructions is that I have PAX_MARKINGS="PT XT" |
5 |
specified in make.conf. |
6 |
|
7 |
Taken this difference, I've emerged some packages. The install process is |
8 |
faster - although I wouldn't say it's lightning fast. All binaries had |
9 |
their PT fields set and XT fields missing. I can only blame the |
10 |
PAX_MARKINGS variable. I believe that the install mechanism should take |
11 |
care both PT and XT flags if both were specified in PAX_MARKINGS |
12 |
environmental variable. I'm not sure if you agree with me about this. |
13 |
|
14 |
I can repeat the test it with PAX_MARKINGS="XT" only. |
15 |
|
16 |
Thank you for your efforts: Dw. |
17 |
-- |
18 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
19 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
20 |
|
21 |
2014.Június 24.(K) 15:53 időpontban Anthony G. Basile ezt írta: |
22 |
> Hi Everyone, |
23 |
> |
24 |
> It has take a long time to finalize XATTR_PAX support in Gentoo, but I |
25 |
> think the final step is done. The thorniest problem was getting portage |
26 |
> wrappers to `/usr/bin/install` to preserve extended attributes. We |
27 |
> could have hacked up ebuilds to do the markings after install, but in |
28 |
> some cases this meant having to do double markings in ebuilds and left a |
29 |
> gap in our end-to-end support for other packages needing xattrs not |
30 |
> necessarily related to PaX. I took the harder but "correct" path and |
31 |
> wrote a wrapper. My first wrapper was written in python and worked |
32 |
> great except it was slooooow --- actually I had one in bash which used |
33 |
> associated arrays but that requires bash4 and portage only supports |
34 |
> bash3! I rewrote the wrapper in C and it worked great when I by-passed |
35 |
> the portage install machinary and used it directly, but the point was to |
36 |
> get it working in portage! I finally traced the bug down to how the |
37 |
> environment $PATH changes during the ebuild phases and added |
38 |
> intelligence to the C wrapper. |
39 |
> |
40 |
> Anyhow, I'd like victims ... err ... I mean testers: |
41 |
> |
42 |
> 1) Have USE=xattr and PAX_MARKINGS="XT" in you make.conf file |
43 |
> |
44 |
> 2) Your kernel should have CONFIG_PAX_XATTR_PAX_FLAGS=y. If you are |
45 |
> brave have CONFIG_PAX_PT_PAX_FLAGS not set. |
46 |
> |
47 |
> 3) emerge =sys-apps/install-xattr-0.2, sys-apps/elfix. If you can |
48 |
> emerge elfix with USE="ptpax xtpax" but if you are brave try USE="-ptpax |
49 |
> xtpax". You must have at least xtpax in there. |
50 |
> |
51 |
> 4) You need to apply the following patch to portage: |
52 |
> |
53 |
> https://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=9089c2d755b0ecb1b340fc23dda461163f589c43 |
54 |
> |
55 |
> You can just manually apply it after `cd /usr/lib/portage/` |
56 |
> |
57 |
> 5) Then emerge any package needing pax markings (maybe not python just |
58 |
> in case something breaks). Like johntheripper which should give |
59 |
> |
60 |
> ~ # paxctl-ng -v /usr/sbin/john |
61 |
> /usr/sbin/john: |
62 |
> PT_PAX : -emr- |
63 |
> XATTR_PAX : -emr- |
64 |
> |
65 |
> or just |
66 |
> |
67 |
> /usr/sbin/john: |
68 |
> XATTR_PAX : -emr- |
69 |
> |
70 |
> If you removed all PT_PAX above. |
71 |
> |
72 |
> Let me know if you hit issues. The final step will be to just make sure |
73 |
> our releases have XATTR_PAX markings and that we document how to |
74 |
> properly installed them so you don't loose the markings. |
75 |
> |
76 |
> |
77 |
> Finally, some may wonder, why XATTR_PAX markings? The main reason is |
78 |
> that it doesn't touch the ELF binaries and makes them more consistent |
79 |
> with what other distros ship. Also, marking can be done while the ELF |
80 |
> is busy (eg `paxctl -m /bin/bash`, leads to "Text file busy" but you |
81 |
> can always do `paxctl-ng -lm /bin/bash`, ie set only XATTR_PAX). This |
82 |
> allows you to work with a live system which is useful if you ever need |
83 |
> to do a revdep-pax to migrate pax flags from a library to the |
84 |
> executables that link against it. The disadvantage is that xattr |
85 |
> support requires more work and so are more fragile. |
86 |
> |
87 |
> |
88 |
> -- |
89 |
> Anthony G. Basile, Ph. D. |
90 |
> Chair of Information Technology |
91 |
> D'Youville College |
92 |
> Buffalo, NY 14201 |
93 |
> (716) 829-8197 |
94 |
> |