| 1 |
On 10/22/2013 07:49 PM, Rick "Zero_Chaos" Farina wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> On 10/22/2013 01:56 PM, Anthony G. Basile wrote: |
| 6 |
>> On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
| 7 |
>>> -----BEGIN PGP SIGNED MESSAGE----- |
| 8 |
>>> Hash: SHA1 |
| 9 |
>>> |
| 10 |
>>> On 10/21/2013 03:00 PM, Magnus Granberg wrote: |
| 11 |
>>>> Agenda |
| 12 |
>>>> 1.0 New Devloper |
| 13 |
>>>> 2.0 Toolchain |
| 14 |
>>>> 3.0 Kernel/Grsec/Pax |
| 15 |
>>>> 3.1 Use pax_kernel |
| 16 |
>>> The USE=pax_kernel is used for two reasons. One reason is XYZ needs to |
| 17 |
>>> be done or pax kills the build/test. The second reason is XYZ needs to |
| 18 |
>>> be done to build against a hardened kernel. |
| 19 |
>> It is wrong to build anything against the kernel api except as defined |
| 20 |
>> in /usr/include/linux, hardened or not. We have lots of ebuild which |
| 21 |
>> look at the kernel source tree in /usr/src/linux and build against it. |
| 22 |
>> These are broken. The kernel source tree exposes many internal |
| 23 |
>> structures which are subject to change without notice, not the least of |
| 24 |
>> which afflicted iptables for the longest time. |
| 25 |
>> |
| 26 |
>> By extension, no ebuild should build against a hardened kernel source |
| 27 |
>> tree. USE=pax_kernel should never mean "XYZ needs to be done to build |
| 28 |
>> against a hardened kernel". It should only be used to mean "the ELFs |
| 29 |
>> provided by this package *may* be run under a kernel with pax memory |
| 30 |
>> protection enforced." If its a question of an out of source tree |
| 31 |
>> kernel module being built and requiring a patch, eg constification, then |
| 32 |
>> some other solution needs to be found. |
| 33 |
>> |
| 34 |
>> What ebuilds are we talking about here that fit the later category? |
| 35 |
>> |
| 36 |
> Kernel modules such as nvidia-drivers, which I'm confident are allowed |
| 37 |
> to build against the kernel sources. |
| 38 |
> |
| 39 |
> - -Zero |
| 40 |
> |
| 41 |
|
| 42 |
Out of source tree kernel modules can (and often must) build against |
| 43 |
/usr/src/linux. My comments were about userland. |
| 44 |
|
| 45 |
Anyhow, back to the original issue, can't some local use flag be used |
| 46 |
here to say apply the constify patch? We don't want to polute the |
| 47 |
meaning of USE=pax_kernel. |
| 48 |
|
| 49 |
-- |
| 50 |
Anthony G. Basile, Ph.D. |
| 51 |
Gentoo Linux Developer [Hardened] |
| 52 |
E-Mail : blueness@g.o |
| 53 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 54 |
GnuPG ID : F52D4BBA |
Archives