| 1 |
On 04/08/2013 01:14 PM, Mike Gilbert wrote: |
| 2 |
> On Mon, Apr 8, 2013 at 10:21 AM, Michael Haubenwallner <haubi@g.o> wrote: |
| 3 |
>> Actually I've wondered if it would make more sense to default to PAX_MARKINGS="none", |
| 4 |
>> and have the hardened profiles (or the user in make.conf) set a different value. |
| 5 |
> That makes some sense to me. The downside is that that switching from |
| 6 |
> vanilla gentoo to hardened would require a rebuild of all packages |
| 7 |
> that need pax markings. |
| 8 |
|
| 9 |
That's why I set PAX_MARKINGS="XT PT", to avoid the downside. We do |
| 10 |
have users who switch back and forth and I'll be trading one set of bugs |
| 11 |
for another. As a compromise position, we can fall back to what we've |
| 12 |
been doing all along, that is PAX_MARKINGS="PT". Users who want |
| 13 |
XATTR_PAX and set up their system to handle xattrs on all the |
| 14 |
filesystems can then just set PAX_MARKINGS="XT" in their make.conf. |
| 15 |
|
| 16 |
Just to remind everyone, all elf objects built on gentoo have a |
| 17 |
PAX_FLAGS program header to house the flags. Users just don't know |
| 18 |
about them because the vanilla kernel ignores those flags, so its pretty |
| 19 |
harmless to do the markings. Its foreign binaries (ie compiled on other |
| 20 |
systems) that cause issues and that's why we are aiming for XATTR_PAX |
| 21 |
markings as the method of choice once we get all the bugs ironed out. |
| 22 |
|
| 23 |
Let me know what you think and I'll drop down to PAX_MARKINGS="PT" in |
| 24 |
the eclass. |
| 25 |
|
| 26 |
> |
| 27 |
>> But thinking again now, I'm wondering if pax-mark should be done in pkg_preinst rather |
| 28 |
>> than src_install - for the sake of binary merges when the build machine has different |
| 29 |
>> PAX_MARKINGS than the target machine (no idea if that ever would happen). |
| 30 |
> This also makes sense to me. |
| 31 |
> |
| 32 |
|
| 33 |
You should do XATTR_PAX markings *after* install runs. It can be in |
| 34 |
src_install() or later provided it is done after the usual emake |
| 35 |
install. That's because install does not copy extended attributes. |
| 36 |
Practically all of coreutils does (provided its compiled with xattr |
| 37 |
support), but not install. I'm working on a patch and see what upstream |
| 38 |
has to say, but if people want to quickly fix their packages, just move |
| 39 |
pax-mark later. If you can't because you need it during src_compile |
| 40 |
before tests, you can always pax-mark-ing twice. |
| 41 |
|
| 42 |
I like the idea of a FEATURES="pax" but we might want to think about a |
| 43 |
FEATURES="security" which introduces a new phase which can do either pax |
| 44 |
markings or selinux markings. We've been doing pax markings in ebuilds, |
| 45 |
but selinux labeling is done after most of the system is put in place, |
| 46 |
the appropriate sec-policy/selinux-XXX are emerged and then a global |
| 47 |
rlpkg is applied. It would be nice to automate that in a src_secmark() |
| 48 |
phase. (Just thinking out loud.) |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
Anthony G. Basile, Ph.D. |
| 53 |
Gentoo Linux Developer [Hardened] |
| 54 |
E-Mail : blueness@g.o |
| 55 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 56 |
GnuPG ID : F52D4BBA |
Archives