| 1 |
On 10/20/2013 07:39 PM, Anthony G. Basile wrote: |
| 2 |
> |
| 3 |
> The profile idea is a good one, but I'm always worried about people who |
| 4 |
> switch profiles. If we don't do the markings on *all* gentoo systems, |
| 5 |
> then someone switching from vanilla to hardened may have to re-emerge |
| 6 |
> lots of packages. Unlike PT_PAX which is guaranteed to be there for |
| 7 |
> systems compiled on gentoo, XT_PAX markings are more fragile and depend |
| 8 |
> on the filesystem being able to sustain them. |
| 9 |
> |
| 10 |
|
| 11 |
|
| 12 |
I thought about this, but it isn't as bad as it looks initially. |
| 13 |
|
| 14 |
As long as we have PT_PAX, there's nothing to worry about. Even with a |
| 15 |
profile-based solution, we could set PAX_MARKINGS="PT" in the base |
| 16 |
make.defaults. So no problem for now. |
| 17 |
|
| 18 |
But eventually, we're going to drop PT_PAX in favor of XT_PAX. As I |
| 19 |
mentioned, many ebuilds in the tree are calling "pax-mark || die". That |
| 20 |
will block the switch, since packages would begin to fail for users |
| 21 |
without xattr support. There are two obvious ways to fix it: remove the |
| 22 |
die calls, or implement a profile-based solution that doesn't annoy |
| 23 |
non-hardened users. So maybe we have to implement a profile-based |
| 24 |
solution anyway, and the point is moot. |
| 25 |
|
| 26 |
But lets say for the sake of argument that everyone removes the "|| die" |
| 27 |
from their pax-marks. We still have two cases: |
| 28 |
|
| 29 |
1. The users that have xattr-enabled filesystems. They can switch |
| 30 |
to hardened freely, since the pax-marks have been succeeding. |
| 31 |
|
| 32 |
But are you *sure* you've had xattrs enabled the entire time we've |
| 33 |
been doing XT_PAX markings? |
| 34 |
|
| 35 |
a. If so, great. |
| 36 |
|
| 37 |
b. If not, you'd better `emerge -e world` anyway to avoid |
| 38 |
surprises. |
| 39 |
|
| 40 |
2. Users without xattr support. The calls to pax-mark didn't do |
| 41 |
anything, but they didn't fail. A full `emerge -e world` is |
| 42 |
necessary to avoid mysterious breakage. |
| 43 |
|
| 44 |
This is in contrast to the profile-based solution, which only has one |
| 45 |
case: everybody has to `emerge -e world` once to get the markings. But, |
| 46 |
after we drop PT_PAX, this is only *worse* for the people in (1.a). |
| 47 |
That's a much smaller group than /everyone/ who switches to hardened. |
Archives