| 1 |
On 04/08/2013 12:08 AM, Anthony G. Basile wrote: |
| 2 |
> On 04/07/2013 05:20 PM, Mike Gilbert wrote: |
| 3 |
>> On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn |
| 4 |
>> <chithanh@g.o> wrote: |
| 5 |
>>> Hello All, |
| 6 |
>>> |
| 7 |
>>> After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call no |
| 8 |
>>> longer has a || die. This means that the resulting binaries may have PT_PAX, |
| 9 |
>>> XATTR_PAX, both or neither markings depending on kernel configuration, |
| 10 |
>>> filesystem and mount options. |
| 11 |
|
| 12 |
Although not used to PaX in general, I've fixed a bug report[1] where "pax-mark -c" was |
| 13 |
sufficient to get some prebuilt thirt-party binary to run on user's hardened machine. |
| 14 |
|
| 15 |
>> In the mean time, maybe we could disable XATTR_PAX markings by default |
| 16 |
>> for people not using the hardened profile. |
| 17 |
>> |
| 18 |
> You can disable either or both type of pax markings by setting PAX_MARKINGS. |
| 19 |
> We can change the default in the eclass. Its currently set to "PT XT". |
| 20 |
> Setting it to "PT" would revert to only doing PT_PAX markings. |
| 21 |
> Then users will have to manually set XT in their make.conf. |
| 22 |
|
| 23 |
While fixing that bug I've discovered the default value of PAX_MARKINGS="PT" |
| 24 |
(has changed to "PT XT" since), but no profile actually setting PAX_MARKINGS="none". |
| 25 |
|
| 26 |
Actually I've wondered if it would make more sense to default to PAX_MARKINGS="none", |
| 27 |
and have the hardened profiles (or the user in make.conf) set a different value. |
| 28 |
|
| 29 |
But thinking again now, I'm wondering if pax-mark should be done in pkg_preinst rather |
| 30 |
than src_install - for the sake of binary merges when the build machine has different |
| 31 |
PAX_MARKINGS than the target machine (no idea if that ever would happen). |
| 32 |
|
| 33 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=456694 |
| 34 |
|
| 35 |
my 2 cents |
| 36 |
/haubi/ |
Archives