1 |
On 12/18/14 20:36, Matthew Thode wrote: |
2 |
> On 12/18/2014 07:09 PM, Anthony G. Basile wrote: |
3 |
>> Hi fellow hardened devs: |
4 |
>> |
5 |
>> I'm sorry for missing the meeting but things came up and the day got |
6 |
>> hectic. It is an important meeting because we were to discuss: |
7 |
>> |
8 |
>> 1) what we want with toolchain.eclass - There is a move to get rid of |
9 |
>> the eclas because it is "messy". This is probably a bad thing in |
10 |
>> general and especially for hardened so we should discuss the pros and |
11 |
>> cons and what we want. |
12 |
>> |
13 |
>> 2) what to do about tar and POSIX capabilities in the context of |
14 |
>> building stage3's. Utilities like ping that used to be setuid to root |
15 |
>> are now just using posix caps. But preserving xattrs with tar is |
16 |
>> tricky. Since we dealt with this for the user.pax.* xattr namespace |
17 |
>> jmbsvicetto asked us to look at security.capability. However, the issue |
18 |
>> may now be mute because I just got a message from him that |
19 |
>> |
20 |
>> tar --xattrs --xattrs-include=security.capability |
21 |
>> --xattrs-include=user.* --acls -xjpvf |
22 |
>> |
23 |
>> works to get us all the xattr goodies we need for hardened and gentoo in |
24 |
>> general. |
25 |
>> |
26 |
>> |
27 |
>> We should try to discuss 1 soon-ish before Cthulu awakens and madness |
28 |
>> reigns in gentoo. |
29 |
>> |
30 |
> regarding 1: a refactoring is in order probably, but what are the |
31 |
> specific complaints? |
32 |
|
33 |
mgorny doesn't like it and says its intrusive. I was not able to get |
34 |
more out of him. See |
35 |
|
36 |
https://www.marc.info/?l=gentoo-dev&m=141804148612262&w=2 |
37 |
|
38 |
> |
39 |
> regarding 2: The thing we need to ask is if we want to ask users to run |
40 |
> that to extract stage3 tarballs, instead of -xf and the like. |
41 |
> |
42 |
|
43 |
Also responding to Swift. Since we build the stage3's we decide what |
44 |
xattrs get in there from what is set by the ebuilds --- "we" = any |
45 |
gentoo dev via the ebuild he/she writes. The question then is up to us |
46 |
what we want. Right now we are including only security.capability and |
47 |
user.pax.flags. releng has adopted a blacklist policy where all xattrs |
48 |
are excluded unless we specifically include them. So acls and selinux |
49 |
are not included. |
50 |
|
51 |
Note: this is just what gets into the stage3 tarball. Once unpacked, |
52 |
the user is free to set whatever xattrs he/she wants. |
53 |
|
54 |
-- |
55 |
Anthony G. Basile, Ph. D. |
56 |
Chair of Information Technology |
57 |
D'Youville College |
58 |
Buffalo, NY 14201 |
59 |
(716) 829-8197 |