| 1 |
On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn |
| 2 |
<chithanh@g.o> wrote: |
| 3 |
> Hello All, |
| 4 |
> |
| 5 |
> After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call no |
| 6 |
> longer has a || die. This means that the resulting binaries may have PT_PAX, |
| 7 |
> XATTR_PAX, both or neither markings depending on kernel configuration, |
| 8 |
> filesystem and mount options. |
| 9 |
> |
| 10 |
> I'd say that is not a good thing. If you agree with me, what could be done |
| 11 |
> here? Have pax-mark die in the eclass or mandate || die in ebuilds? This |
| 12 |
> would probably require pax-mark calls to be conditional on pax_kernel USE |
| 13 |
> flag or similar. |
| 14 |
> |
| 15 |
|
| 16 |
Most ebuilds do not call pax-mark || die. Most people do not run PaX |
| 17 |
systems, so a failure here is not a major issue. |
| 18 |
|
| 19 |
I would like to see the kernel patch enabling user.pax attributes on |
| 20 |
tmpfs submitted to Linus' kernel tree; that would eliminate the major |
| 21 |
cause of failures here. |
| 22 |
|
| 23 |
In the mean time, maybe we could disable XATTR_PAX markings by default |
| 24 |
for people not using the hardened profile. |
Archives