| 1 |
On 10/19/2013 08:56 PM, Michael Orlitzky wrote: |
| 2 |
> On 10/19/2013 08:29 PM, Anthony G. Basile wrote: |
| 3 |
>> |
| 4 |
>> Can you check to see if the || die is required only on packages before |
| 5 |
>> EAPI = 5? Or is it on all EAPI versions? |
| 6 |
> |
| 7 |
> It's required anywhere you want the ebuild to die when pax-mark fails. |
| 8 |
> AFAIK, the EAPI >= 4 auto-die behavior only applies to the commands |
| 9 |
> listed in the PMS under "Ebuild-specific Commands". |
| 10 |
> |
| 11 |
> |
| 12 |
>> Having said that, I'm not sure we want the ebuild to fail just because |
| 13 |
>> pax-mark fails. People on vanilla profiles without xattr support will |
| 14 |
>> be annoyed. |
| 15 |
> |
| 16 |
> Can this be done in the profiles instead of the eclass? |
| 17 |
> |
| 18 |
> Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the |
| 19 |
> variable is unset. On hardened, we probably want PAX_MARKINGS="PT" for |
| 20 |
> now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" eventually. |
| 21 |
> |
| 22 |
> Non-hardened users don't care about the markings[1], so it doesn't |
| 23 |
> matter to them whether or not pax-mark fails. But for hardened users, |
| 24 |
> the package will be broken, so the ebuild should die. |
| 25 |
> |
| 26 |
> What would happen it we changed the line, |
| 27 |
> |
| 28 |
> PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
| 29 |
> |
| 30 |
> in the eclass, to, |
| 31 |
> |
| 32 |
> PAX_MARKINGS=${PAX_MARKINGS:="none"} |
| 33 |
> |
| 34 |
> and added, |
| 35 |
> |
| 36 |
> PAX_MARKINGS="PT" |
| 37 |
> |
| 38 |
> to the hardened make.defaults? |
| 39 |
> |
| 40 |
> |
| 41 |
> |
| 42 |
> [1] There may be exceptions to this rule, but if we remove the PT |
| 43 |
> default for non-hardened users, they can still set PAX_MARKINGS in |
| 44 |
> make.conf if they want the markings. |
| 45 |
> |
| 46 |
|
| 47 |
The profile idea is a good one, but I'm always worried about people who |
| 48 |
switch profiles. If we don't do the markings on *all* gentoo systems, |
| 49 |
then someone switching from vanilla to hardened may have to re-emerge |
| 50 |
lots of packages. Unlike PT_PAX which is guaranteed to be there for |
| 51 |
systems compiled on gentoo, XT_PAX markings are more fragile and depend |
| 52 |
on the filesystem being able to sustain them. |
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
-- |
| 57 |
Anthony G. Basile, Ph. D. |
| 58 |
Chair of Information Technology |
| 59 |
D'Youville College |
| 60 |
Buffalo, NY 14201 |
| 61 |
(716) 829-8197 |
Archives