| 1 |
On Sun, 20 Oct 2013 19:39:10 -0400 |
| 2 |
"Anthony G. Basile" <basile@××××××××××××××.edu> wrote: |
| 3 |
|
| 4 |
> On 10/19/2013 08:56 PM, Michael Orlitzky wrote: |
| 5 |
> > On 10/19/2013 08:29 PM, Anthony G. Basile wrote: |
| 6 |
> >> |
| 7 |
> >> Can you check to see if the || die is required only on packages |
| 8 |
> >> before EAPI = 5? Or is it on all EAPI versions? |
| 9 |
> > |
| 10 |
> > It's required anywhere you want the ebuild to die when pax-mark |
| 11 |
> > fails. AFAIK, the EAPI >= 4 auto-die behavior only applies to the |
| 12 |
> > commands listed in the PMS under "Ebuild-specific Commands". |
| 13 |
> > |
| 14 |
> > |
| 15 |
> >> Having said that, I'm not sure we want the ebuild to fail just |
| 16 |
> >> because pax-mark fails. People on vanilla profiles without xattr |
| 17 |
> >> support will be annoyed. |
| 18 |
> > |
| 19 |
> > Can this be done in the profiles instead of the eclass? |
| 20 |
> > |
| 21 |
> > Right now, the eclass sets PAX_MARKINGS="PT" for everyone when the |
| 22 |
> > variable is unset. On hardened, we probably want PAX_MARKINGS="PT" |
| 23 |
> > for now, PAX_MARKINGS="PT XT" later, and PAX_MARKINGS="XT" |
| 24 |
> > eventually. |
| 25 |
> > |
| 26 |
> > Non-hardened users don't care about the markings[1], so it doesn't |
| 27 |
> > matter to them whether or not pax-mark fails. But for hardened |
| 28 |
> > users, the package will be broken, so the ebuild should die. |
| 29 |
> > |
| 30 |
> > What would happen it we changed the line, |
| 31 |
> > |
| 32 |
> > PAX_MARKINGS=${PAX_MARKINGS:="PT"} |
| 33 |
> > |
| 34 |
> > in the eclass, to, |
| 35 |
> > |
| 36 |
> > PAX_MARKINGS=${PAX_MARKINGS:="none"} |
| 37 |
> > |
| 38 |
> > and added, |
| 39 |
> > |
| 40 |
> > PAX_MARKINGS="PT" |
| 41 |
> > |
| 42 |
> > to the hardened make.defaults? |
| 43 |
> > |
| 44 |
> > |
| 45 |
> > |
| 46 |
> > [1] There may be exceptions to this rule, but if we remove the PT |
| 47 |
> > default for non-hardened users, they can still set PAX_MARKINGS in |
| 48 |
> > make.conf if they want the markings. |
| 49 |
> > |
| 50 |
> |
| 51 |
> The profile idea is a good one, but I'm always worried about people |
| 52 |
> who switch profiles. If we don't do the markings on *all* gentoo |
| 53 |
> systems, then someone switching from vanilla to hardened may have to |
| 54 |
> re-emerge lots of packages. Unlike PT_PAX which is guaranteed to be |
| 55 |
> there for systems compiled on gentoo, XT_PAX markings are more |
| 56 |
> fragile and depend on the filesystem being able to sustain them. |
| 57 |
> |
| 58 |
> |
| 59 |
> |
| 60 |
|
| 61 |
I will just note that people changing profile usually should rebuild |
| 62 |
world anyway, to have everything build with hardened toolchain. |
| 63 |
So maybe just add another step to hardened guide, like reboot into |
| 64 |
xattr enabled kernel before building stuff. |
Archives