| 1 |
On Sat, 13 May 2006 23:04:10 -0700 |
| 2 |
Donnie Berkholz <spyderous@g.o> wrote: |
| 3 |
|
| 4 |
> Kevin F. Quinn (Gentoo) wrote: |
| 5 |
> |
| 6 |
> Oh, OK, let's argue semantics. It's suggested by a hardened user on a |
| 7 |
> bug the hardened team is CC'd on, but the team didn't say anything was |
| 8 |
> wrong with the change. |
| 9 |
|
| 10 |
That's because for the moment we don't have a better suggestion; we |
| 11 |
can't say "don't do it" in this case until we have a solution. Our |
| 12 |
silence doesn't mean we like the solution; it means we haven't got |
| 13 |
anything better to suggest for now. |
| 14 |
|
| 15 |
> > With regards to Duncan's (non-hardened) problem, adding: |
| 16 |
> > |
| 17 |
> > filter-ldflags -Wl,-z,now |
| 18 |
> > |
| 19 |
> > to x-modular.eclass as he suggests should be fine; his issue is |
| 20 |
> > different to that with the hardened compiler in as much as he has |
| 21 |
> > added the '-Wl,-z,now' to LDFLAGS as advised by the QA message and |
| 22 |
> > the above filter will just remove it again; whereas to deal with |
| 23 |
> > the hardened compiler we need to reliably add a flag to all the |
| 24 |
> > relevant link commands (the bit that takes the effort is working |
| 25 |
> > out which are relevant). |
| 26 |
> |
| 27 |
> Now I'm confused. Do you want this filter instead of the current |
| 28 |
> situation, in addition to, or what? This is exactly why I asked for a |
| 29 |
> patch. |
| 30 |
|
| 31 |
This is a completely separate issue, nothing to do with the hardened |
| 32 |
team or the hardened compiler. It causes the same problem in the end, |
| 33 |
but a completely different way. |
| 34 |
|
| 35 |
|
| 36 |
The QA checks in portage advise the user to try: |
| 37 |
|
| 38 |
LDFLAGS='-Wl,-z,now' emerge ${PN} |
| 39 |
|
| 40 |
because the X server is "suid, dyn linked and using lazy |
| 41 |
bindings". This warning becomes fatal if FEATURES=stricter, |
| 42 |
so you may want to RESTRICT it (which doesn't remove the warning, so |
| 43 |
you should be able to find it in your build logs for xorg-server). |
| 44 |
|
| 45 |
|
| 46 |
In summary, for Duncan's issue I suggest adding: |
| 47 |
|
| 48 |
# Xorg server is unaviodably suid with lazy bindings |
| 49 |
RESTRICT="stricter" |
| 50 |
|
| 51 |
to the xorg-server ebuild to stop it dying for people with |
| 52 |
FEATURES=stricter (the comment helps people who have enabled STRICTER |
| 53 |
to see why it's disabled, in case anything else crops up) and also to |
| 54 |
add: |
| 55 |
|
| 56 |
filter-ldflags -Wl,-z,now |
| 57 |
|
| 58 |
to the eclass (perhaps in x-modular_src_compile, or in both |
| 59 |
x-modular_src_config and x-modular_src_make). If you do it just on the |
| 60 |
xorg-server ebuild, and people do what Duncan did and set LDFLAGS in |
| 61 |
make.conf, it'll set BIND_NOW on everything which at the very least |
| 62 |
will cause the radeon and GL drivers to fail to load. |
| 63 |
|
| 64 |
Obviously I haven't tried it so it would be useful if Duncan could |
| 65 |
raise a bug with the exact change he made. |
| 66 |
|
| 67 |
-- |
| 68 |
Kevin F. Quinn |
Archives