| 1 |
On 04/07/2013 05:20 PM, Mike Gilbert wrote: |
| 2 |
> On Sun, Apr 7, 2013 at 5:11 PM, Chí-Thanh Christopher Nguyễn |
| 3 |
> <chithanh@g.o> wrote: |
| 4 |
>> Hello All, |
| 5 |
>> |
| 6 |
>> After recent changes in dev-lang/v8 and related ebuilds, the pax-mark call no |
| 7 |
>> longer has a || die. This means that the resulting binaries may have PT_PAX, |
| 8 |
>> XATTR_PAX, both or neither markings depending on kernel configuration, |
| 9 |
>> filesystem and mount options. |
| 10 |
>> |
| 11 |
>> I'd say that is not a good thing. If you agree with me, what could be done |
| 12 |
>> here? Have pax-mark die in the eclass or mandate || die in ebuilds? This |
| 13 |
>> would probably require pax-mark calls to be conditional on pax_kernel USE |
| 14 |
>> flag or similar. |
| 15 |
>> |
| 16 |
> Most ebuilds do not call pax-mark || die. Most people do not run PaX |
| 17 |
> systems, so a failure here is not a major issue. |
| 18 |
> |
| 19 |
> I would like to see the kernel patch enabling user.pax attributes on |
| 20 |
> tmpfs submitted to Linus' kernel tree; that would eliminate the major |
| 21 |
> cause of failures here. |
| 22 |
> |
| 23 |
> In the mean time, maybe we could disable XATTR_PAX markings by default |
| 24 |
> for people not using the hardened profile. |
| 25 |
> |
| 26 |
You can disable either or both type of pax markings by setting |
| 27 |
PAX_MARKINGS. We can change the default in the eclass. Its currently |
| 28 |
set to "PT XT". Setting it to "PT" would revert to only doing PT_PAX |
| 29 |
markings. Then users will have to manually set XT in their make.conf. |
| 30 |
|
| 31 |
I can try to get the user.pax on tmpfs patch into the Linux tree. At the |
| 32 |
very least, we can get it into gentoo-sources. |
| 33 |
|
| 34 |
-- |
| 35 |
Anthony G. Basile, Ph.D. |
| 36 |
Gentoo Linux Developer [Hardened] |
| 37 |
E-Mail : blueness@g.o |
| 38 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 39 |
GnuPG ID : F52D4BBA |
Archives