1 |
On Wed, Oct 14, 2015 at 11:48:07PM -0400, Mike Frysinger wrote: |
2 |
> USE=xattr is needed nowadays to support: |
3 |
> - filesystem caps (those things that let you drop set*id and generally |
4 |
> improves system security w/little to no runtime overhead) |
5 |
> - PaX file markings (replaces binutils ELF markings) |
6 |
> - selinux |
7 |
> |
8 |
> we actually have USE=filecaps on by default already, and catalyst |
9 |
> hard requires tar[xattr] in order to work. the hardened profile |
10 |
> also package.use.force's this flag on for some core packages. |
11 |
> |
12 |
> not too many packages actually utilize this flag, and when they do, |
13 |
> it's to pull in the attr package which clocks in at <200 KiB. the |
14 |
> runtime overhead tends to be low to non-existent as xattrs tend to |
15 |
> be used only when requested. |
16 |
> |
17 |
> when support is not available in the FS or kernel, packages should |
18 |
> generally fall back gracefully. |
19 |
> |
20 |
> anyone opposed to flipping this flag on by default ? |
21 |
> |
22 |
> reference: |
23 |
> https://bugs.gentoo.org/506198 |
24 |
> https://bugs.gentoo.org/556408 |
25 |
> -mike |
26 |
|
27 |
As part of the hardened and SELinux teams, definitely +1 from me. |
28 |
|
29 |
-- Jason |