| 1 |
On 10/14/15 11:48 PM, Mike Frysinger wrote: |
| 2 |
> USE=xattr is needed nowadays to support: |
| 3 |
> - filesystem caps (those things that let you drop set*id and generally |
| 4 |
> improves system security w/little to no runtime overhead) |
| 5 |
> - PaX file markings (replaces binutils ELF markings) |
| 6 |
> - selinux |
| 7 |
> |
| 8 |
> we actually have USE=filecaps on by default already, and catalyst |
| 9 |
> hard requires tar[xattr] in order to work. the hardened profile |
| 10 |
> also package.use.force's this flag on for some core packages. |
| 11 |
> |
| 12 |
> not too many packages actually utilize this flag, and when they do, |
| 13 |
> it's to pull in the attr package which clocks in at <200 KiB. the |
| 14 |
> runtime overhead tends to be low to non-existent as xattrs tend to |
| 15 |
> be used only when requested. |
| 16 |
> |
| 17 |
> when support is not available in the FS or kernel, packages should |
| 18 |
> generally fall back gracefully. |
| 19 |
> |
| 20 |
> anyone opposed to flipping this flag on by default ? |
| 21 |
|
| 22 |
do it. the only problem i see coming is kernel configurations which |
| 23 |
don't have xattrs set. this can happen on embedded boards where its |
| 24 |
difficult/impossible to swap out kernels (like some of the stuff i |
| 25 |
have). fcaps.eclass has intelligence for this. i'll look again at |
| 26 |
pax-utils.eclass and make sure there is enough error checking to deal |
| 27 |
with kernel/filesystems that can't handle xattrs. i remember some issue |
| 28 |
with scanfelf's exit code which caused some problem, but we can talk |
| 29 |
about that later when i've refreshed the issue in my head. |
| 30 |
|
| 31 |
> |
| 32 |
> reference: |
| 33 |
> https://bugs.gentoo.org/506198 |
| 34 |
> https://bugs.gentoo.org/556408 |
| 35 |
> -mike |
| 36 |
|
| 37 |
|
| 38 |
-- |
| 39 |
Anthony G. Basile, Ph.D. |
| 40 |
Gentoo Linux Developer [Hardened] |
| 41 |
E-Mail : blueness@g.o |
| 42 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 43 |
GnuPG ID : F52D4BBA |
Archives