| 1 |
On Wed, Oct 14, 2015 at 11:48:07PM -0400, Mike Frysinger wrote: |
| 2 |
> USE=xattr is needed nowadays to support: |
| 3 |
> - filesystem caps (those things that let you drop set*id and generally |
| 4 |
> improves system security w/little to no runtime overhead) |
| 5 |
> - PaX file markings (replaces binutils ELF markings) |
| 6 |
> - selinux |
| 7 |
> |
| 8 |
> we actually have USE=filecaps on by default already, and catalyst |
| 9 |
> hard requires tar[xattr] in order to work. the hardened profile |
| 10 |
> also package.use.force's this flag on for some core packages. |
| 11 |
> |
| 12 |
> not too many packages actually utilize this flag, and when they do, |
| 13 |
> it's to pull in the attr package which clocks in at <200 KiB. the |
| 14 |
> runtime overhead tends to be low to non-existent as xattrs tend to |
| 15 |
> be used only when requested. |
| 16 |
> |
| 17 |
> when support is not available in the FS or kernel, packages should |
| 18 |
> generally fall back gracefully. |
| 19 |
> |
| 20 |
> anyone opposed to flipping this flag on by default ? |
| 21 |
> |
| 22 |
> reference: |
| 23 |
> https://bugs.gentoo.org/506198 |
| 24 |
> https://bugs.gentoo.org/556408 |
| 25 |
> -mike |
| 26 |
|
| 27 |
As part of the hardened and SELinux teams, definitely +1 from me. |
| 28 |
|
| 29 |
-- Jason |
Archives