1 |
On 04/08/2013 01:14 PM, Mike Gilbert wrote: |
2 |
> On Mon, Apr 8, 2013 at 10:21 AM, Michael Haubenwallner <haubi@g.o> wrote: |
3 |
>> Actually I've wondered if it would make more sense to default to PAX_MARKINGS="none", |
4 |
>> and have the hardened profiles (or the user in make.conf) set a different value. |
5 |
> That makes some sense to me. The downside is that that switching from |
6 |
> vanilla gentoo to hardened would require a rebuild of all packages |
7 |
> that need pax markings. |
8 |
|
9 |
That's why I set PAX_MARKINGS="XT PT", to avoid the downside. We do |
10 |
have users who switch back and forth and I'll be trading one set of bugs |
11 |
for another. As a compromise position, we can fall back to what we've |
12 |
been doing all along, that is PAX_MARKINGS="PT". Users who want |
13 |
XATTR_PAX and set up their system to handle xattrs on all the |
14 |
filesystems can then just set PAX_MARKINGS="XT" in their make.conf. |
15 |
|
16 |
Just to remind everyone, all elf objects built on gentoo have a |
17 |
PAX_FLAGS program header to house the flags. Users just don't know |
18 |
about them because the vanilla kernel ignores those flags, so its pretty |
19 |
harmless to do the markings. Its foreign binaries (ie compiled on other |
20 |
systems) that cause issues and that's why we are aiming for XATTR_PAX |
21 |
markings as the method of choice once we get all the bugs ironed out. |
22 |
|
23 |
Let me know what you think and I'll drop down to PAX_MARKINGS="PT" in |
24 |
the eclass. |
25 |
|
26 |
> |
27 |
>> But thinking again now, I'm wondering if pax-mark should be done in pkg_preinst rather |
28 |
>> than src_install - for the sake of binary merges when the build machine has different |
29 |
>> PAX_MARKINGS than the target machine (no idea if that ever would happen). |
30 |
> This also makes sense to me. |
31 |
> |
32 |
|
33 |
You should do XATTR_PAX markings *after* install runs. It can be in |
34 |
src_install() or later provided it is done after the usual emake |
35 |
install. That's because install does not copy extended attributes. |
36 |
Practically all of coreutils does (provided its compiled with xattr |
37 |
support), but not install. I'm working on a patch and see what upstream |
38 |
has to say, but if people want to quickly fix their packages, just move |
39 |
pax-mark later. If you can't because you need it during src_compile |
40 |
before tests, you can always pax-mark-ing twice. |
41 |
|
42 |
I like the idea of a FEATURES="pax" but we might want to think about a |
43 |
FEATURES="security" which introduces a new phase which can do either pax |
44 |
markings or selinux markings. We've been doing pax markings in ebuilds, |
45 |
but selinux labeling is done after most of the system is put in place, |
46 |
the appropriate sec-policy/selinux-XXX are emerged and then a global |
47 |
rlpkg is applied. It would be nice to automate that in a src_secmark() |
48 |
phase. (Just thinking out loud.) |
49 |
|
50 |
|
51 |
-- |
52 |
Anthony G. Basile, Ph.D. |
53 |
Gentoo Linux Developer [Hardened] |
54 |
E-Mail : blueness@g.o |
55 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
56 |
GnuPG ID : F52D4BBA |