Archives
Archives
| From: | "Anthony G. Basile" <blueness@g.o> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Proposed update to pax-utils.eclass | ||
| Date: | Mon, 25 Mar 2013 00:21:20 | ||
| Message-Id: | 514F9840.7030204@gentoo.org | ||
| In Reply to: | [gentoo-dev] Proposed update to pax-utils.eclass by "Anthony G. Basile" |
||
| 1 | On 03/17/2013 08:19 AM, Anthony G. Basile wrote: |
| 2 | > Hi everyone, |
| 3 | > |
| 4 | > The hardened team has been working on getting PaX markings moved to |
| 5 | > Extended Attributes rather then putting them in a program header of |
| 6 | > the ELF binaries [1]. The motivation here is that this is a generally |
| 7 | > safer way of doing PaX markings since mangling an ELF binary can break |
| 8 | > things [2]. |
| 9 | > |
| 10 | > The last step in the process is getting an eclass on the tree which |
| 11 | > does both xattr as well as elf phdr based PaX markings. We've been |
| 12 | > testing one for a while and we think we've clobbered all the bugs. The |
| 13 | > eclass deviates significantly from the one on the tree, so a I'm not |
| 14 | > sure a diff is the best way to present it. The current version is on |
| 15 | > the hardened-dev overay [3]. It also makes use of a new utility |
| 16 | > called paxctl-ng which does what paxctl did but also with xattr [4]. |
| 17 | > |
| 18 | > You may want to look at some documentation too. A updated discussion |
| 19 | > of PaX which includes xattr stuff is at [5]. A migration guide is at |
| 20 | > [6]. |
| 21 | > |
| 22 | > Please review. We are in no rush to get this done, so if you find |
| 23 | > bugs or have concerns, add blockers to the tracker [1]. |
| 24 | > |
| 25 | > |
| 26 | > Ref. |
| 27 | > |
| 28 | > [1] https://bugs.gentoo.org/show_bug.cgi?id=427888 |
| 29 | > |
| 30 | > [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668 |
| 31 | > |
| 32 | > [3] |
| 33 | > http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f |
| 34 | > |
| 35 | > [4] This is part of the sys-apps/elfix package. The repo is at |
| 36 | > http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary |
| 37 | > |
| 38 | > [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml |
| 39 | > |
| 40 | > [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml |
| 41 | > |
| 42 | > |
| 43 | |
| 44 | Last call, does anyone have a problem with me updating the |
| 45 | pax-utils.eclass? See Ref [3] above for the code. I'll wait a couple |
| 46 | more days and then do it. |
| 47 | |
| 48 | -- |
| 49 | Anthony G. Basile, Ph.D. |
| 50 | Gentoo Linux Developer [Hardened] |
| 51 | E-Mail : blueness@g.o |
| 52 | GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 53 | GnuPG ID : F52D4BBA |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Proposed update to pax-utils.eclass | Gilles Dartiguelongue <eva@g.o> |