| 1 |
On 08/02/2011 10:31 AM, Ciaran McCreesh wrote: |
| 2 |
> On Tue, 02 Aug 2011 10:28:58 -0400 |
| 3 |
> "Anthony G. Basile" <blueness@g.o> wrote: |
| 4 |
>> I prefer capsetting in the PMS itself, with a nice clean function |
| 5 |
>> which auto detects all the necessary conditions and transparently |
| 6 |
>> preserves caps, as you suggest. Maybe this can be in EAPI=5. |
| 7 |
> Would need a spec, along with a way of dealing with all the problems: |
| 8 |
> what happens if the build fs supports caps but the install fs doesn't? |
| 9 |
> What about if caps are supported on both but in different ways (tmpfs |
| 10 |
> on some kernels)? Is it up to the PM to deal with that? How does the PM |
| 11 |
> even know? |
| 12 |
> |
| 13 |
|
| 14 |
That's exactly what I was thinking of for the PM. It would have to |
| 15 |
autodetect all that. Eg. it could create a test file on each fs and |
| 16 |
then do a getcap on it and if it fails, you have your answer. If |
| 17 |
necessary and it exists, it could look at /proc/config. I think it's |
| 18 |
doable. |
| 19 |
|
| 20 |
>> I'm also wondering if, in the mean time, it might be worth writing a |
| 21 |
>> bash script and/or howto on converting as many binaries as possible |
| 22 |
>> from setuid to caps --- hitting up all the usual suspects. Its not |
| 23 |
>> ideal but might still be useful until we get this squarely in the PMS. |
| 24 |
> PMS currently explicitly states that caps might get clobbered on a |
| 25 |
> merge (because Portage does that sometimes). So if you're doing it now, |
| 26 |
> it'd have to be as a pkg_postinst thing. But I'd strongly recommend not |
| 27 |
> going that route, since it'll almost certainly go horribly wrong in a |
| 28 |
> "your system randomly no longer works" kind of way... Better to ban |
| 29 |
> things from using caps for now. |
| 30 |
> |
| 31 |
|
| 32 |
I was thinking something even dirtier, something outside of the PMS |
| 33 |
altogether, along the lines of what one does when converting to a |
| 34 |
selinux system where one relabels the entire filesystem with rlpkg. So |
| 35 |
no, not something via pkg_postinst(). |
| 36 |
|
| 37 |
-- |
| 38 |
Anthony G. Basile, Ph.D. |
| 39 |
Gentoo Linux Developer [Hardened] |
| 40 |
E-Mail : blueness@g.o |
| 41 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 42 |
GnuPG ID : D0455535 |
Archives