1 |
On 10/20/2013 07:39 PM, Anthony G. Basile wrote: |
2 |
> |
3 |
> The profile idea is a good one, but I'm always worried about people who |
4 |
> switch profiles. If we don't do the markings on *all* gentoo systems, |
5 |
> then someone switching from vanilla to hardened may have to re-emerge |
6 |
> lots of packages. Unlike PT_PAX which is guaranteed to be there for |
7 |
> systems compiled on gentoo, XT_PAX markings are more fragile and depend |
8 |
> on the filesystem being able to sustain them. |
9 |
> |
10 |
|
11 |
|
12 |
I thought about this, but it isn't as bad as it looks initially. |
13 |
|
14 |
As long as we have PT_PAX, there's nothing to worry about. Even with a |
15 |
profile-based solution, we could set PAX_MARKINGS="PT" in the base |
16 |
make.defaults. So no problem for now. |
17 |
|
18 |
But eventually, we're going to drop PT_PAX in favor of XT_PAX. As I |
19 |
mentioned, many ebuilds in the tree are calling "pax-mark || die". That |
20 |
will block the switch, since packages would begin to fail for users |
21 |
without xattr support. There are two obvious ways to fix it: remove the |
22 |
die calls, or implement a profile-based solution that doesn't annoy |
23 |
non-hardened users. So maybe we have to implement a profile-based |
24 |
solution anyway, and the point is moot. |
25 |
|
26 |
But lets say for the sake of argument that everyone removes the "|| die" |
27 |
from their pax-marks. We still have two cases: |
28 |
|
29 |
1. The users that have xattr-enabled filesystems. They can switch |
30 |
to hardened freely, since the pax-marks have been succeeding. |
31 |
|
32 |
But are you *sure* you've had xattrs enabled the entire time we've |
33 |
been doing XT_PAX markings? |
34 |
|
35 |
a. If so, great. |
36 |
|
37 |
b. If not, you'd better `emerge -e world` anyway to avoid |
38 |
surprises. |
39 |
|
40 |
2. Users without xattr support. The calls to pax-mark didn't do |
41 |
anything, but they didn't fail. A full `emerge -e world` is |
42 |
necessary to avoid mysterious breakage. |
43 |
|
44 |
This is in contrast to the profile-based solution, which only has one |
45 |
case: everybody has to `emerge -e world` once to get the markings. But, |
46 |
after we drop PT_PAX, this is only *worse* for the people in (1.a). |
47 |
That's a much smaller group than /everyone/ who switches to hardened. |