1 |
On 10/22/2013 01:09 PM, Rick "Zero_Chaos" Farina wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> On 10/21/2013 03:00 PM, Magnus Granberg wrote: |
6 |
>> Agenda |
7 |
>> 1.0 New Devloper |
8 |
>> 2.0 Toolchain |
9 |
>> 3.0 Kernel/Grsec/Pax |
10 |
>> 3.1 Use pax_kernel |
11 |
> The USE=pax_kernel is used for two reasons. One reason is XYZ needs to |
12 |
> be done or pax kills the build/test. The second reason is XYZ needs to |
13 |
> be done to build against a hardened kernel. |
14 |
|
15 |
It is wrong to build anything against the kernel api except as defined |
16 |
in /usr/include/linux, hardened or not. We have lots of ebuild which |
17 |
look at the kernel source tree in /usr/src/linux and build against it. |
18 |
These are broken. The kernel source tree exposes many internal |
19 |
structures which are subject to change without notice, not the least of |
20 |
which afflicted iptables for the longest time. |
21 |
|
22 |
By extension, no ebuild should build against a hardened kernel source |
23 |
tree. USE=pax_kernel should never mean "XYZ needs to be done to build |
24 |
against a hardened kernel". It should only be used to mean "the ELFs |
25 |
provided by this package *may* be run under a kernel with pax memory |
26 |
protection enforced." If its a question of an out of source tree |
27 |
kernel module being built and requiring a patch, eg constification, then |
28 |
some other solution needs to be found. |
29 |
|
30 |
What ebuilds are we talking about here that fit the later category? |
31 |
|
32 |
-- |
33 |
Anthony G. Basile, Ph.D. |
34 |
Gentoo Linux Developer [Hardened] |
35 |
E-Mail : blueness@g.o |
36 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
37 |
GnuPG ID : F52D4BBA |