1 |
On 10/14/15 11:48 PM, Mike Frysinger wrote: |
2 |
> USE=xattr is needed nowadays to support: |
3 |
> - filesystem caps (those things that let you drop set*id and generally |
4 |
> improves system security w/little to no runtime overhead) |
5 |
> - PaX file markings (replaces binutils ELF markings) |
6 |
> - selinux |
7 |
> |
8 |
> we actually have USE=filecaps on by default already, and catalyst |
9 |
> hard requires tar[xattr] in order to work. the hardened profile |
10 |
> also package.use.force's this flag on for some core packages. |
11 |
> |
12 |
> not too many packages actually utilize this flag, and when they do, |
13 |
> it's to pull in the attr package which clocks in at <200 KiB. the |
14 |
> runtime overhead tends to be low to non-existent as xattrs tend to |
15 |
> be used only when requested. |
16 |
> |
17 |
> when support is not available in the FS or kernel, packages should |
18 |
> generally fall back gracefully. |
19 |
> |
20 |
> anyone opposed to flipping this flag on by default ? |
21 |
|
22 |
do it. the only problem i see coming is kernel configurations which |
23 |
don't have xattrs set. this can happen on embedded boards where its |
24 |
difficult/impossible to swap out kernels (like some of the stuff i |
25 |
have). fcaps.eclass has intelligence for this. i'll look again at |
26 |
pax-utils.eclass and make sure there is enough error checking to deal |
27 |
with kernel/filesystems that can't handle xattrs. i remember some issue |
28 |
with scanfelf's exit code which caused some problem, but we can talk |
29 |
about that later when i've refreshed the issue in my head. |
30 |
|
31 |
> |
32 |
> reference: |
33 |
> https://bugs.gentoo.org/506198 |
34 |
> https://bugs.gentoo.org/556408 |
35 |
> -mike |
36 |
|
37 |
|
38 |
-- |
39 |
Anthony G. Basile, Ph.D. |
40 |
Gentoo Linux Developer [Hardened] |
41 |
E-Mail : blueness@g.o |
42 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
43 |
GnuPG ID : F52D4BBA |