1 |
On Sun, 20 Oct 2013 19:39:10 -0400 |
2 |
"Anthony G. Basile" <basile@××××××××××××××.edu> wrote: |
3 |
|
4 |
> On 10/19/2013 08:56 PM, Michael Orlitzky wrote: |
5 |
> > On 10/19/2013 08:29 PM, Anthony G. Basile wrote: |
6 |
> >> |
7 |
> >> Can you check to see if the || die is required only on packages |
8 |
> >> before EAPI = 5? Or is it on all EAPI versions? |
9 |
> > |
10 |
> > It's required anywhere you want the ebuild to die when pax-mark |
11 |
> > fails. AFAIK, the EAPI >= 4 auto-die behavior only applies to the |
12 |
> > commands listed in the PMS under "Ebuild-specific Commands". |
13 |
> > |
14 |
> > |
15 |
> >> Having said that, I'm not sure we want the ebuild to fail just |
16 |
> >> because pax-mark fails. People on vanilla profiles without xattr |
17 |
> >> support will be annoyed. |
18 |
> > |
19 |
> > Can this be done in the profiles instead of the eclass? |
20 |
> > |
21 |
> > Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the |
22 |
> > variable is unset. On hardened, we probably want PAX_MARKINGS="PT" |
23 |
> > for now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" |
24 |
> > eventually. |
25 |
> > |
26 |
> > Non-hardened users don't care about the markings[1], so it doesn't |
27 |
> > matter to them whether or not pax-mark fails. But for hardened |
28 |
> > users, the package will be broken, so the ebuild should die. |
29 |
> > |
30 |
> > What would happen it we changed the line, |
31 |
> > |
32 |
> > PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
33 |
> > |
34 |
> > in the eclass, to, |
35 |
> > |
36 |
> > PAX_MARKINGS=${PAX_MARKINGS:="none"} |
37 |
> > |
38 |
> > and added, |
39 |
> > |
40 |
> > PAX_MARKINGS="PT" |
41 |
> > |
42 |
> > to the hardened make.defaults? |
43 |
> > |
44 |
> > |
45 |
> > |
46 |
> > [1] There may be exceptions to this rule, but if we remove the PT |
47 |
> > default for non-hardened users, they can still set PAX_MARKINGS in |
48 |
> > make.conf if they want the markings. |
49 |
> > |
50 |
> |
51 |
> The profile idea is a good one, but I'm always worried about people |
52 |
> who switch profiles. If we don't do the markings on *all* gentoo |
53 |
> systems, then someone switching from vanilla to hardened may have to |
54 |
> re-emerge lots of packages. Unlike PT_PAX which is guaranteed to be |
55 |
> there for systems compiled on gentoo, XT_PAX markings are more |
56 |
> fragile and depend on the filesystem being able to sustain them. |
57 |
> |
58 |
> |
59 |
> |
60 |
|
61 |
I will just note that people changing profile usually should rebuild |
62 |
world anyway, to have everything build with hardened toolchain. |
63 |
So maybe just add another step to hardened guide, like reboot into |
64 |
xattr enabled kernel before building stuff. |